self = <test_api_keys.TestAPIKeySubscriptionPhases object at 0x7fdbc6a5a160> def test_create_key_for_pending_subscription(self): """API key creation succeeds for Pending subscription.""" ns = _ns() subscription_name = "e2e-apikey-pending-sub" auth_name = "e2e-apikey-pending-auth" sa_name = "e2e-apikey-pending-sa" try: oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) _create_test_auth_policy(auth_name, MODEL_REF, users=[sa_user]) _create_test_subscription(subscription_name, MODEL_REF, users=[sa_user]) _wait_reconcile(seconds=10) # Patch to Pending phase patch_data = { "status": { "phase": "Pending", "conditions": [{ "type": "Ready", "status": "False", "reason": "Pending", "message": "Reconciliation in progress", "lastTransitionTime": datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ") }], } } cmd = [ "kubectl", "patch", "maassubscription", subscription_name, "-n", ns, "--type=merge", "--subresource=status", "-p", json.dumps(patch_data) ] result = subprocess.run(cmd, capture_output=True, text=True) assert result.returncode == 0, f"Failed to patch: {result.stderr}" cr = _get_cr("maassubscription", subscription_name, namespace=ns) phase = cr.get("status", {}).get("phase") assert phase == "Pending", f"Expected Pending, got {phase}" # Create API key (should succeed) > api_key = _create_api_key( oc_token, name="pending-sub-test", subscription=subscription_name ) test/e2e/tests/test_api_keys.py:1334: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6ImFyN0tVWXdJejQ3Nm5ZbXpobmdJOWZiMXNWc2piR25NclpOekQ4Q0VMNWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...zCWuZkRhVkP9hstcKXogap9OPqsTXm8rkZDfMzT9b9g9HmGoD981DFAGS2gaqraCyuUCG7cZKDL9lQl8p5ItxRcRzw7U1OHgipeTMDoS4-xAR92LynOhkg' name = 'pending-sub-test', subscription = 'e2e-apikey-pending-sub' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeErrorself = <test_api_keys.TestAPIKeySubscriptionPhases object at 0x7fdbc6a5a4c0> def test_reject_key_for_unreconciled_subscription(self): """ API key creation is rejected for unreconciled subscription (empty phase). Note: Temporarily sets webhook failurePolicy to Ignore to allow creating resources while controller is down, then restores to Fail. """ ns = _ns() subscription_name = "e2e-apikey-unreconciled-sub" auth_name = "e2e-apikey-unreconciled-auth" sa_name = "e2e-apikey-unreconciled-sa" webhook_name = "maas-validating-webhook-configuration" try: # Create service account and get token oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) # Temporarily set webhook failurePolicy to Ignore # This allows creates to succeed when controller/webhook is unavailable # Find webhook indices dynamically by name to avoid brittleness result = subprocess.run( ["oc", "get", "validatingwebhookconfiguration", webhook_name, "-o", "json"], capture_output=True, text=True, check=True ) webhook_config = json.loads(result.stdout) patch_ops = [] for idx, webhook in enumerate(webhook_config.get("webhooks", [])): if webhook.get("name") in ["vmaassubscription.kb.io", "vmaasauthpolicy.kb.io"]: patch_ops.append({"op": "replace", "path": f"/webhooks/{idx}/failurePolicy", "value": "Ignore"}) subprocess.run( ["oc", "patch", "validatingwebhookconfiguration", webhook_name, "--type=json", "-p", json.dumps(patch_ops)], capture_output=True, text=True, check=True ) # Scale down controller to prevent reconciliation _scale_controller_down() # Create resources (webhook unavailable but Ignore policy allows creates) _create_test_auth_policy(auth_name, MODEL_REF, users=[sa_user]) _create_test_subscription(subscription_name, MODEL_REF, users=[sa_user]) # Verify subscription is unreconciled (empty phase) cr = _get_cr("maassubscription", subscription_name, namespace=ns) phase = cr.get("status", {}).get("phase", "") assert phase == "", f"Expected empty phase, got: {phase}" log.info("✅ Subscription is unreconciled (empty phase)") # Try to create API key (should fail with 400) response = requests.post( f"{_maas_api_url()}/v1/api-keys", headers={ "Authorization": f"Bearer {oc_token}", "Content-Type": "application/json" }, json={ "name": "unreconciled-sub-test", "subscription": subscription_name }, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert response.status_code == 400, \ f"Expected 400 for unreconciled subscription, got {response.status_code}: {response.text}" E AssertionError: Expected 400 for unreconciled subscription, got 500: E assert 500 == 400 E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1414: AssertionErrorself = <test_subscription.TestMultipleAuthPoliciesPerModel object at 0x7fdbc6926190> def test_two_auth_policies_or_logic(self): """Two auth policies for the premium model with OR logic: user matching either gets access.""" ns = _ns() try: # Create a 2nd auth policy that allows system:authenticated (user's actual group) _apply_cr({ "apiVersion": "maas.opendatahub.io/v1alpha1", "kind": "MaaSAuthPolicy", "metadata": {"name": "e2e-premium-sa-auth", "namespace": ns}, "spec": { "modelRefs": [{"name": PREMIUM_MODEL_REF, "namespace": MODEL_NAMESPACE}], "subjects": {"groups": [{"name": "system:authenticated"}]}, }, }) # Create a subscription for system:authenticated on premium model _apply_cr({ "apiVersion": "maas.opendatahub.io/v1alpha1", "kind": "MaaSSubscription", "metadata": {"name": "e2e-premium-sa-sub", "namespace": ns}, "spec": { "owner": {"groups": [{"name": "system:authenticated"}]}, "modelRefs": [{"name": PREMIUM_MODEL_REF, "namespace": MODEL_NAMESPACE, "tokenRateLimits": [{"limit": 100, "window": "1m"}]}], }, }) _wait_reconcile() # Key must be minted for the premium subscription > api_key = _create_api_key( _get_cluster_token(), name=f"e2e-premium-sa-{uuid.uuid4().hex[:8]}", subscription="e2e-premium-sa-sub", ) test/e2e/tests/test_subscription.py:720: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6ImFyN0tVWXdJejQ3Nm5ZbXpobmdJOWZiMXNWc2piR25NclpOekQ4Q0VMNWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...8U8pneKEE3GWJ2i0P-4rgbYsEfenGBF6TMl0k_aBEt4dByx91VDbSmtsL_WHtNXm2sWdqfUtbLRWJI96WM3WClH-F25Cb0PPQ3DkmR_QulG8LtcJoFSeLQ' name = 'e2e-premium-sa-75a7a95d', subscription = 'e2e-premium-sa-sub' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeErrorself = <test_subscription.TestE2ESubscriptionFlow object at 0x7fdbc6a7b250> def test_e2e_with_both_access_and_subscription_gets_200(self): """ Full E2E test: Create MaaSModelRef, MaaSAuthPolicy, and MaaSSubscription from scratch. API key with both access and subscription should get 200 OK. This is the comprehensive test that validates the complete E2E flow including MaaSModelRef creation and reconciliation. Other tests use existing models for speed. """ ns = _ns() model_ref = "e2e-test-model-success" auth_policy_name = "e2e-test-auth-success" subscription_name = "e2e-test-subscription-success" sa_name = "e2e-sa-success" try: # Create service account and get OC token for maas-api oc_token = _create_sa_token(sa_name, namespace=ns) sa_user = _sa_to_user(sa_name, namespace=ns) # Create model and governance resources together so the model # can reach Ready (requires MaaSSubscription + MaaSAuthPolicy). _create_test_maas_model(model_ref) _create_test_auth_policy(auth_policy_name, model_ref, users=[sa_user]) _create_test_subscription(subscription_name, model_ref, users=[sa_user]) endpoint = _wait_for_maas_model_ready(model_ref, timeout=120) # Extract path from endpoint (e.g., https://maas.../llm/facebook-opt-125m-simulated -> /llm/facebook-opt-125m-simulated) model_path = urlparse(endpoint).path # API key bound to this subscription at mint (inference does not send x-maas-subscription) > api_key = _create_api_key( oc_token, name=f"{sa_name}-key", subscription=subscription_name ) test/e2e/tests/test_subscription.py:1320: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6ImFyN0tVWXdJejQ3Nm5ZbXpobmdJOWZiMXNWc2piR25NclpOekQ4Q0VMNWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...so-J-nNXaYwVe12rCacEIgBuPbk-eV_yFLW5_1WVjdbJMtzNyDRil9cgjnI8wjRXtkGCuANccxInd4UmsmnTddeAMmK5Wsnu6i4zb0YRtaHxWz6NyRWUXQ' name = 'e2e-sa-success-key', subscription = 'e2e-test-subscription-success' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeErrorself = <test_subscription.TestE2ESubscriptionFlow object at 0x7fdbc6a7bc40> def test_e2e_with_access_but_no_subscription_gets_403(self): """ Test: User with access (MaaSAuthPolicy) but not in any subscription gets 403. Uses existing model (facebook-opt-125m-simulated) for faster execution. Note: We temporarily remove simulator-subscription to ensure the test user has auth but no matching subscriptions. """ ns = _ns() auth_policy_name = "e2e-test-auth-no-sub" sa_name = "e2e-sa-no-sub" # Snapshot existing subscription to restore later original_sim = _snapshot_cr("maassubscription", SIMULATOR_SUBSCRIPTION) try: # Create service account and get OC token for maas-api oc_token = _create_sa_token(sa_name, namespace=ns) sa_user = _sa_to_user(sa_name, namespace=ns) # Create auth policy for this specific user _create_test_auth_policy(auth_policy_name, MODEL_REF, users=[sa_user]) # Bind simulator subscription on the key while the CR still exists, then remove it > api_key = _create_api_key( oc_token, name=f"{sa_name}-key", subscription=SIMULATOR_SUBSCRIPTION, ) test/e2e/tests/test_subscription.py:1360: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6ImFyN0tVWXdJejQ3Nm5ZbXpobmdJOWZiMXNWc2piR25NclpOekQ4Q0VMNWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...46s8MSplcYUcES5n-a0-_LpKB3rrI8iPb90G1cn_RkNSAArrzLNDHRcBLEehhZQPCk3vmnBYTZiOfi_X4tXt6jzgen2L2WAHb2C2PR9sdf9ycfe9kOiL9A' name = 'e2e-sa-no-sub-key', subscription = 'simulator-subscription' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeError