{"level":"info","ts":"2026-06-14T03:52:24.289Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:52:24.468Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:52:24.468Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:24.566Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:24.569Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:24.571Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:52:24.667Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:24.667Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"error","ts":"2026-06-14T03:52:24.672Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:52:24.672Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:24.674Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:24.981Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:52:25.071Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:26.170Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["WasmPlugin","HTTPRoute","ConfigMap","Limitador","AuthPolicy"],"eventTypes":{"update":6}} {"level":"info","ts":"2026-06-14T03:52:26.180Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:52:26.182Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:52:26.268Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:52:26.268Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:26.273Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:26.273Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:26.276Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:52:26.276Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:26.276Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:26.372Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:26.567Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:27.481Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:52:27.677Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:28.772Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","ConfigMap","Limitador","AuthPolicy"],"eventTypes":{"update":30}} {"level":"info","ts":"2026-06-14T03:52:28.783Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:52:28.785Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:52:28.868Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:52:28.868Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:29.066Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:29.067Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:29.067Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:29.069Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:52:29.069Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:29.072Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:29.076Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:29.287Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:52:29.376Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:29.972Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"update":5}} {"level":"info","ts":"2026-06-14T03:52:29.981Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:52:30.167Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:52:30.177Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:30.266Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:30.267Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:52:30.267Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:30.269Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:52:30.269Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:30.270Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:30.270Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:30.275Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:30.490Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:52:30.574Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:32.474Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","ConfigMap"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-14T03:52:32.674Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:32.674Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:32.674Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:34.775Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","ConfigMap","AuthPolicy"],"eventTypes":{"update":29}} {"level":"info","ts":"2026-06-14T03:52:35.067Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:35.067Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:35.070Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:40.768Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","ConfigMap","AuthPolicy"],"eventTypes":{"create":1,"update":2}} {"level":"info","ts":"2026-06-14T03:52:40.869Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:40.870Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:40.871Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:52:40.875Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:40.875Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:40.879Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:42.373Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute","WasmPlugin","TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"update":7}} {"level":"info","ts":"2026-06-14T03:52:42.381Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:52:42.383Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:52:42.567Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:52:42.567Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:42.672Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:42.672Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:42.672Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:42.678Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:42.770Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:42.771Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:52:42.771Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:43.007Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:52:43.071Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:43.769Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"update":5}} {"level":"info","ts":"2026-06-14T03:52:43.778Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:52:43.780Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:52:43.969Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:52:43.969Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:43.974Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:44.067Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:44.067Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:44.071Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:52:44.071Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:44.074Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:44.289Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:52:44.567Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:49.377Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy"],"eventTypes":{"delete":1,"update":1}} {"level":"info","ts":"2026-06-14T03:52:49.474Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:49.474Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:49.566Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:49.569Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:52:49.578Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:50.888Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute","AuthPolicy","TokenRateLimitPolicy","ConfigMap","WasmPlugin","Limitador"],"eventTypes":{"update":7}} {"level":"info","ts":"2026-06-14T03:52:51.068Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:52:51.070Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:52:51.167Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:52:51.167Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:51.172Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:51.172Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:51.172Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:51.266Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:51.269Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:52:51.269Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:51.270Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:52.191Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:52:52.274Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:53.270Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","AuthConfig","ConfigMap","Limitador","TokenRateLimitPolicy"],"eventTypes":{"update":32}} {"level":"info","ts":"2026-06-14T03:52:53.278Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:52:53.280Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:52:53.467Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:52:53.467Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:53.475Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:53.475Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:53.475Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:53.570Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:53.570Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:53.572Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:52:53.572Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:53.793Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:52:53.971Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:58.667Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","AuthPolicy","ConfigMap","HTTPRoute"],"eventTypes":{"create":1,"update":3}} {"level":"info","ts":"2026-06-14T03:52:58.869Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:58.871Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:52:58.871Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:52:58.874Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:52:58.879Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:52:58.970Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:52:59.068Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:00.367Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:00.468Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:00.568Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","TokenRateLimitPolicy"],"eventTypes":{"create":1,"update":1}} {"level":"info","ts":"2026-06-14T03:53:00.672Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:00.677Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:00.677Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:00.775Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:00.779Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"error","ts":"2026-06-14T03:53:00.871Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:00.871Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"error","ts":"2026-06-14T03:53:00.875Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-14T03:27:10Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:32Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system","resourceVersion":"50284","uid":"f284daed-71e2-4900-9901-3a4bee1c5728"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:32Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:32Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:00.967Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-external-model","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-external-model#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0\" already exists"} {"level":"error","ts":"2026-06-14T03:53:00.975Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-14T03:27:51Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:51:46Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system","resourceVersion":"50276","uid":"016600f2-5de0-4eec-9329-ae8388194a89"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:51:46Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:51:46Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:00.983Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-14T03:27:51Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:27Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system","resourceVersion":"50288","uid":"63c5f50f-edda-4a0b-81cf-3ab0e5c895bb"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:27Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:27Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.067Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-4"},"creationTimestamp":"2026-06-14T03:28:13Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:21Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system","resourceVersion":"50274","uid":"5229f48a-0fa2-459a-85bd-dfe8c3309275"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:21Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:21Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.067Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-14T03:25:56Z","generation":201,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"9d616df0-362e-425c-95ea-424da71f7f24\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:49Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"9d616df0-362e-425c-95ea-424da71f7f24"}],"resourceVersion":"50227","uid":"19588873-bc33-4949-9fde-9704d994bd6a"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3a3f373728cce028ba7a2d283f6cf98e56c254fd75bc4aef176fb6327d6a347c","routeRuleConditions":{"hostnames":["keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"bb22e883980a995d5381ec6dc068eac7dad6f44ad8c6c494bac8d0db9e9c5f06","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"d6a603a23a707d5ecfe0c23a03ae7cb2d64110e9c11b50e0b3dde829d2f55ff5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"4a34c3f151697e84771d86a0b439e98df2ae85d6df00ad199643ca39bc386d02","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"ae28cf21965c95af7482715f2e1e23d83fa238c0e2649c5166c873e33b10d543","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"a2c1bbd8109bc5cbf6f3b5429e278eaaacf98a35a57d014f1fd5783255cdf122","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"1271bf2a1fb72c512e7752f10847edbe9fef443c3d6e4783341d7aa721f423b0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"17c95243a9d9267db05df573212cf6769a2993b0f1d81c41c949e017251b7678","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"bbd718eb041215b024cc6391a723517d277cf6dafe222d110de0e5cf05c5a1d8","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_e2e_external_subscription_e2e_external_model_tokens__cfee5cf8","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/e2e-external-subscription@llm/e2e-external-model\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-e2e-external-model"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_e2e_external_subscription_e2e_external_model_tokens__cfee5cf8","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/e2e-external-subscription@llm/e2e-external-model\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-e2e-external-model"]}],"name":"4b77f64765a45c34fc0c46ec3eb3fefd5099ba53f484e065861ce52ebf0e58e3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-external-model')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_e2e_external_subscription_e2e_external_model_tokens__cfee5cf8","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/e2e-external-subscription@llm/e2e-external-model\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-e2e-external-model"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_e2e_external_subscription_e2e_external_model_tokens__cfee5cf8","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/e2e-external-subscription@llm/e2e-external-model\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-e2e-external-model"]}],"name":"2353fe625a0d4b76d877c4b87e1bf058d72d76bda7fbcbb6113dc93cea20b10f","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/')","request.headers.exists(h, h.lowerAscii() == 'x-gateway-model-name' && request.headers[h] == 'gpt-3.5-turbo')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.076Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-14T03:27:10Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:09Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system","resourceVersion":"50273","uid":"8d1dcc2d-5e5c-469a-8a9b-d651ef7e1378"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:09Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:09Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.084Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-14T03:27:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:50:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:52Z"}],"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system","resourceVersion":"50299","uid":"c3e0b540-c4ed-4388-a2dd-ebbfacdf33cf"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:50:34Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:50:34Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.092Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-14T03:27:21Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:21Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:52Z"}],"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system","resourceVersion":"50300","uid":"c0150c00-3dac-4106-a0f6-e68d3d595006"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:21Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:21Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.103Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-external-model","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-external-model#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11\" already exists"} {"level":"error","ts":"2026-06-14T03:53:01.111Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-3"},"creationTimestamp":"2026-06-14T03:28:13Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:46:38Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system","resourceVersion":"50259","uid":"2e7d5ee0-6d73-4ba2-be8a-5211acdfa5bf"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:46:38Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:46:38Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.118Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-2"},"creationTimestamp":"2026-06-14T03:26:49Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:51:47Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system","resourceVersion":"50270","uid":"5298db57-8a02-4eec-a178-a30f805bac76"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:51:47Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:51:47Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.125Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-14T03:27:10Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:33Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system","resourceVersion":"50290","uid":"093918e9-5ac1-43f7-a96f-a56ae3a3ec6a"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:33Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:33Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.133Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-14T03:27:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:32Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system","resourceVersion":"50277","uid":"a04bda4c-35cf-4444-b2d8-c80710147bfc"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:32Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:32Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.140Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-14T03:27:10Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:32Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system","resourceVersion":"50271","uid":"65e4a25f-23c1-49cb-904e-830731d63846"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:32Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:32Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.148Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-14T03:27:21Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:14Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:52Z"}],"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system","resourceVersion":"50297","uid":"bff40733-130b-43b3-9696-f15ee1cc41b6"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.155Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-14T03:27:34Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:47:56Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system","resourceVersion":"50280","uid":"76589d38-adce-481c-8b2e-06728deeaa46"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:47:56Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:47:56Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.162Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-14T03:27:00Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:50:09Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:52Z"}],"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system","resourceVersion":"50301","uid":"290c38ab-836c-42c2-b139-4e275680dd1c"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:50:09Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:50:09Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.173Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-14T03:27:51Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:51Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system","resourceVersion":"50269","uid":"37920673-da4c-47af-a917-0d1a650c13aa"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:51Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:51Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.181Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-14T03:27:51Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:50:51Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system","resourceVersion":"50272","uid":"39adb16c-ccfc-4287-a6e2-d5dc58ebaa15"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:50:51Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:50:51Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.188Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-2"},"creationTimestamp":"2026-06-14T03:28:13Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:26Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:52Z"}],"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system","resourceVersion":"50302","uid":"974202fa-67df-4ce2-a65d-00c55e81db50"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:26Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:26Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.196Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-14T03:27:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:50:08Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system","resourceVersion":"50291","uid":"7a884cd9-c298-4778-a6f9-128322468404"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:50:08Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:50:08Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.203Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-1"},"creationTimestamp":"2026-06-14T03:28:13Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:52Z"}],"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system","resourceVersion":"50298","uid":"4df9ba43-16b1-4110-9831-35d861418f65"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:52Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:52Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.211Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"keycloak-system/keycloak-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:keycloak-system/keycloak-route#rule-1"},"creationTimestamp":"2026-06-14T03:26:49Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:51Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system","resourceVersion":"50292","uid":"9e182801-510a-472f-9e8f-f7716d7e54d4"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:51Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:51Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.218Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-14T03:27:21Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:14Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system","resourceVersion":"50275","uid":"d008ff11-edc9-4db4-ade0-36adaaad93d7"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.225Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-14T03:27:34Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:27Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system","resourceVersion":"50265","uid":"4b6c3d41-6f5b-406d-8f67-8ff22c6a6456"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:27Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:27Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.232Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-14T03:27:34Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:26Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system","resourceVersion":"50281","uid":"07c7c5f4-142e-40ff-913e-495e0001ba51"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:26Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:26Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.239Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-1"},"creationTimestamp":"2026-06-14T03:26:49Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:52:14Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system","resourceVersion":"50296","uid":"fe2c32ed-fdab-442a-bbf4-b8aaf00ff26d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:52:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:52:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.250Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-14T03:27:21Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:51:40Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system","resourceVersion":"50262","uid":"ce9baea7-5305-4f37-b93e-aa75a9978edf"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:51:40Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:51:40Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.257Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-14T03:27:34Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-14T03:51:09Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:52:51Z"}],"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system","resourceVersion":"50264","uid":"a9399eaf-cc61-492c-aee1-29d7f98f6e2b"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-14T03:51:09Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-14T03:51:09Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.271Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-premium-simulated-simulated-premium","namespace":"llm","uid":"37d315bf-894d-4c9f-8581-a88a0f499ef7","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-premium-simulated-simulated-premium\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.277Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-facebook-opt-125m-simulated","namespace":"llm","uid":"8401d182-aead-4fb7-97b1-724dd64fee2a","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-facebook-opt-125m-simulated\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.278Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.290Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-e2e-external-model","namespace":"llm","uid":"c09fec4b-ae03-4b17-bb76-97bf59f20c9c","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-e2e-external-model\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.296Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"maas-default-gateway","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:01.467Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-external-model","namespace":"llm","uid":"95375627-4f71-4085-8a60-e06949ea5b8b","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-external-model\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:02.574Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","Limitador","HTTPRoute","TokenRateLimitPolicy","WasmPlugin","Gateway","ConfigMap","AuthPolicy"],"eventTypes":{"create":3,"update":36}} {"level":"info","ts":"2026-06-14T03:53:02.671Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:53:02.770Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:53:02.874Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:53:02.874Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:02.971Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:02.973Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:02.973Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:03.066Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:03.069Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:53:03.071Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-14T03:53:03.075Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:03.075Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:03.868Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:03.971Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:05.177Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","AuthConfig","WasmPlugin","Limitador","HTTPRoute","AuthPolicy"],"eventTypes":{"create":2,"update":5}} {"level":"info","ts":"2026-06-14T03:53:05.186Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:53:05.268Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:53:05.277Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:53:05.277Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:05.375Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:05.376Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:05.468Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:53:05.470Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:05.470Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:05.768Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:05.770Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:06.072Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:06.173Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:06.183Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig"],"eventTypes":{"update":1}} {"level":"error","ts":"2026-06-14T03:53:06.685Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:07.180Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","ConfigMap","AuthPolicy"],"eventTypes":{"update":3}} {"level":"info","ts":"2026-06-14T03:53:07.289Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:53:07.368Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:53:07.469Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:53:07.469Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:07.471Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:07.471Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:07.471Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:07.474Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:07.571Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:07.571Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:07.571Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:07.973Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:08.068Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:08.767Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","TokenRateLimitPolicy","ConfigMap"],"eventTypes":{"update":5}} {"level":"info","ts":"2026-06-14T03:53:08.777Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:53:08.779Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:53:08.870Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:53:08.870Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:08.870Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:08.870Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:08.969Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:08.870Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:09.070Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:09.070Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:09.290Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:09.370Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:26.373Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway","HTTPRoute"],"eventTypes":{"delete":1,"update":2}} {"level":"info","ts":"2026-06-14T03:53:26.479Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:26.568Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:26.575Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:53:26.667Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:26.667Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:26.678Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:26.773Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:27.098Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:27.174Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:28.370Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","Limitador","ConfigMap","WasmPlugin","AuthConfig"],"eventTypes":{"delete":2,"update":6}} {"level":"info","ts":"2026-06-14T03:53:28.472Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:53:28.474Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:53:28.571Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:53:28.571Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:28.575Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:28.575Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:28.669Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:28.671Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:28.673Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:28.673Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:29.077Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:29.087Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:29.775Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"update":5}} {"level":"info","ts":"2026-06-14T03:53:29.785Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:53:29.787Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:53:29.873Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:29.873Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:53:29.873Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:29.875Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:29.875Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:29.875Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:29.875Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:30.169Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:30.304Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:30.376Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:39.094Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy"],"eventTypes":{"delete":1,"update":1}} {"level":"info","ts":"2026-06-14T03:53:39.267Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:39.267Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:39.272Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:39.376Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:53:39.468Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:39.768Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","Gateway","HTTPRoute"],"eventTypes":{"delete":1,"update":2}} {"level":"info","ts":"2026-06-14T03:53:39.878Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:39.974Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:39.977Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-14T03:53:40.067Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:40.067Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"error","ts":"2026-06-14T03:53:40.074Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:40.074Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:40.176Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-14T03:53:40.467Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-14T03:25:56Z","generation":204,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"9d616df0-362e-425c-95ea-424da71f7f24\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-14T03:53:26Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"9d616df0-362e-425c-95ea-424da71f7f24"}],"resourceVersion":"50870","uid":"19588873-bc33-4949-9fde-9704d994bd6a"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3a3f373728cce028ba7a2d283f6cf98e56c254fd75bc4aef176fb6327d6a347c","routeRuleConditions":{"hostnames":["keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"bb22e883980a995d5381ec6dc068eac7dad6f44ad8c6c494bac8d0db9e9c5f06","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"d6a603a23a707d5ecfe0c23a03ae7cb2d64110e9c11b50e0b3dde829d2f55ff5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"4a34c3f151697e84771d86a0b439e98df2ae85d6df00ad199643ca39bc386d02","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"ae28cf21965c95af7482715f2e1e23d83fa238c0e2649c5166c873e33b10d543","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"a2c1bbd8109bc5cbf6f3b5429e278eaaacf98a35a57d014f1fd5783255cdf122","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"1271bf2a1fb72c512e7752f10847edbe9fef443c3d6e4783341d7aa721f423b0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"17c95243a9d9267db05df573212cf6769a2993b0f1d81c41c949e017251b7678","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"bbd718eb041215b024cc6391a723517d277cf6dafe222d110de0e5cf05c5a1d8","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:41.067Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-premium-simulated-simulated-premium","namespace":"llm","uid":"37d315bf-894d-4c9f-8581-a88a0f499ef7","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-premium-simulated-simulated-premium\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-14T03:53:41.073Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-facebook-opt-125m-simulated","namespace":"llm","uid":"8401d182-aead-4fb7-97b1-724dd64fee2a","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-facebook-opt-125m-simulated\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:41.084Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:41.276Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:42.387Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","AuthPolicy","WasmPlugin","TokenRateLimitPolicy","ConfigMap","Limitador"],"eventTypes":{"delete":2,"update":33}} {"level":"info","ts":"2026-06-14T03:53:42.396Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:53:42.467Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:53:42.667Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:53:42.667Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:42.670Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:42.671Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:42.671Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:42.671Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:42.673Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:42.673Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:42.770Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:42.979Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:43.174Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:43.672Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","ConfigMap","TokenRateLimitPolicy","AuthPolicy"],"eventTypes":{"update":5}} {"level":"info","ts":"2026-06-14T03:53:43.772Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-14T03:53:43.774Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-14T03:53:43.870Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-14T03:53:43.870Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:43.877Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:43.967Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:43.967Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:43.973Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:44.073Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:44.075Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:44.075Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:44.391Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:44.473Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:46.973Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap"],"eventTypes":{"create":1,"update":1}} {"level":"info","ts":"2026-06-14T03:53:47.273Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:47.273Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:47.275Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:47.275Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:47.276Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:47.276Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:47.370Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:47.582Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:47.767Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-14T03:53:47.773Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-1366af1e","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-1366af1e\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:47.870Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-14T03:53:47.971Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:47.975Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:47.977Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:47.977Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:48.068Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:48.068Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:48.071Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:48.473Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"error","ts":"2026-06-14T03:53:48.496Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-1366af1e","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-1366af1e\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:48.572Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:49.088Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-14T03:53:49.175Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:49.175Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:49.177Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:49.177Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:49.371Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:49.371Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:49.371Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:49.690Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:49.768Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-14T03:53:49.774Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-1366af1e","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-1366af1e\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:53:50.377Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-14T03:53:50.575Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:50.575Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:50.772Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:50.869Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:50.872Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:50.967Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:50.967Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:51.174Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:51.272Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:52.978Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"delete":1,"update":1}} {"level":"info","ts":"2026-06-14T03:53:53.172Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:53.173Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:53.177Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:53.177Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:53.371Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:53.371Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:53.371Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:53.590Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:53:53.767Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:59.374Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap"],"eventTypes":{"create":1,"update":1}} {"level":"info","ts":"2026-06-14T03:53:59.476Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:59.476Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:53:59.479Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:53:59.479Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:59.572Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:53:59.572Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:53:59.578Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:53:59.983Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:54:00.069Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-14T03:54:00.072Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-397736e7","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-397736e7\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:54:00.088Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-14T03:54:00.374Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:54:00.376Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:54:00.376Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:00.473Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:54:00.475Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:54:00.475Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:00.568Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:54:00.867Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"error","ts":"2026-06-14T03:54:00.882Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-397736e7","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-397736e7\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:54:00.968Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:01.477Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-14T03:54:01.672Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:54:01.676Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:54:01.678Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:54:01.678Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:01.770Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:54:01.772Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:54:01.772Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:02.177Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:54:02.269Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-14T03:54:02.280Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-397736e7","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-397736e7\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-14T03:54:02.681Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-14T03:54:02.878Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:54:02.966Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:54:02.967Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:02.970Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:54:02.972Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:54:02.972Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:03.068Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:54:03.372Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:54:03.381Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:06.176Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"delete":1,"update":1}} {"level":"info","ts":"2026-06-14T03:54:06.374Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:54:06.378Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-14T03:54:06.468Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-14T03:54:06.468Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:06.470Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-14T03:54:06.470Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-14T03:54:06.473Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-14T03:54:06.781Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-14T03:54:06.874Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}