--- Authorino logs from kuadrant-system (label=authorino-resource=authorino) --- {"level":"info","ts":"2026-06-15T02:44:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d1616efa-9f33-4298-9117-ba04e3199e34","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d1616efa-9f33-4298-9117-ba04e3199e34","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35640","PortSpecifier":{"PortValue":35640}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6689f86b-34a4-4107-814f-52abaca07c5e","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/completions","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35640","PortSpecifier":{"PortValue":35640}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":511618604},"http":{"id":"6689f86b-34a4-4107-814f-52abaca07c5e","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-fuewe29rfwyIpWt1_JKz43cnEj47JKK54WMk8Bg3Pd2OgDxtHSm3G9ri42Xh"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-fuewe29rfwyIpWt1_JKz43cnEj47JKK54WMk8Bg3Pd2OgDxtHSm3G9ri42Xh\"}"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"cannot fetch metadata","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"reason":"no such key: groups"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6689f86b-34a4-4107-814f-52abaca07c5e","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35648","PortSpecifier":{"PortValue":35648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35648","PortSpecifier":{"PortValue":35648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":544536531},"http":{"id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1EyN3yDs8ZUo81z6G_IkterGOoD2Pw6mzLaXdpsxvhQeuAv3p66WqN57ivgaP"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1EyN3yDs8ZUo81z6G_IkterGOoD2Pw6mzLaXdpsxvhQeuAv3p66WqN57ivgaP\"}"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:default:tester-regular-user\"}"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:default,system:authenticated","keyId":"6d6392d3-26d6-4b37-8aa6-4eeb1074a378","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:default:tester-regular-user"}} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c505f3b8-0f4b-4d31-a24f-b644705a4121","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35654","PortSpecifier":{"PortValue":35654}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4d96321c-b410-45dd-baa7-7b332c464bfb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35654","PortSpecifier":{"PortValue":35654}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":579273946},"http":{"id":"4d96321c-b410-45dd-baa7-7b332c464bfb","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4d96321c-b410-45dd-baa7-7b332c464bfb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35656","PortSpecifier":{"PortValue":35656}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","method":"DELETE","path":"/maas-api/v1/api-keys/fdee6363-739f-41da-aa91-e3796f4f7cc8","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35656","PortSpecifier":{"PortValue":35656}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":616817924},"http":{"id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/fdee6363-739f-41da-aa91-e3796f4f7cc8",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/fdee6363-739f-41da-aa91-e3796f4f7cc8",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1d7d2144-d469-4b8c-ac80-d9a26a97cf75","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35660","PortSpecifier":{"PortValue":35660}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","method":"DELETE","path":"/maas-api/v1/api-keys/fdee6363-739f-41da-aa91-e3796f4f7cc8","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35660","PortSpecifier":{"PortValue":35660}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":651648717},"http":{"id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/fdee6363-739f-41da-aa91-e3796f4f7cc8",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/fdee6363-739f-41da-aa91-e3796f4f7cc8",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d37bc88-0db7-4f35-bb6b-df07e6777c5a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35672","PortSpecifier":{"PortValue":35672}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"38831c05-e57b-4bed-a83c-ac8b1018beff","method":"DELETE","path":"/maas-api/v1/api-keys/nonexistent-uuid-12345","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35672","PortSpecifier":{"PortValue":35672}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":688475253},"http":{"id":"38831c05-e57b-4bed-a83c-ac8b1018beff","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/nonexistent-uuid-12345",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/nonexistent-uuid-12345",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"38831c05-e57b-4bed-a83c-ac8b1018beff","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a5c75578-091d-4241-b675-d66002c4649e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35686","PortSpecifier":{"PortValue":35686}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a5c75578-091d-4241-b675-d66002c4649e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a5c75578-091d-4241-b675-d66002c4649e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35686","PortSpecifier":{"PortValue":35686}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":725408535},"http":{"id":"a5c75578-091d-4241-b675-d66002c4649e","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"a5c75578-091d-4241-b675-d66002c4649e","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a5c75578-091d-4241-b675-d66002c4649e","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a5c75578-091d-4241-b675-d66002c4649e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a5c75578-091d-4241-b675-d66002c4649e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a5c75578-091d-4241-b675-d66002c4649e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35698","PortSpecifier":{"PortValue":35698}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c0228bfd-b4ea-4995-8911-652ecade7626","method":"DELETE","path":"/maas-api/v1/api-keys/cc9a22c3-b33d-4ebd-a244-07b04bf18c48","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35698","PortSpecifier":{"PortValue":35698}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":759136912},"http":{"id":"c0228bfd-b4ea-4995-8911-652ecade7626","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cc9a22c3-b33d-4ebd-a244-07b04bf18c48",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cc9a22c3-b33d-4ebd-a244-07b04bf18c48",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c0228bfd-b4ea-4995-8911-652ecade7626","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35714","PortSpecifier":{"PortValue":35714}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b3f80d7f-46db-4d66-857f-20bb610942a8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35714","PortSpecifier":{"PortValue":35714}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":790939791},"http":{"id":"b3f80d7f-46db-4d66-857f-20bb610942a8","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b3f80d7f-46db-4d66-857f-20bb610942a8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35724","PortSpecifier":{"PortValue":35724}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/completions","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35724","PortSpecifier":{"PortValue":35724}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":826095526},"http":{"id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1a31EDbUpWDp2sYil_W4swzd4RUk4RdDgWpxEZPye6cdNbn27jD35D83QPi3"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1a31EDbUpWDp2sYil_W4swzd4RUk4RdDgWpxEZPye6cdNbn27jD35D83QPi3\"}"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"cannot fetch metadata","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"reason":"no such key: groups"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4e0b9fb9-9fa3-44fc-8a21-dd1b7827580e","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"71ebc425-93cc-4da5-8542-325f287108a2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35734","PortSpecifier":{"PortValue":35734}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"71ebc425-93cc-4da5-8542-325f287108a2","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/completions","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"71ebc425-93cc-4da5-8542-325f287108a2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35734","PortSpecifier":{"PortValue":35734}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":854315143},"http":{"id":"71ebc425-93cc-4da5-8542-325f287108a2","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-ahxenNo4AzQFM7UH_VUVl6aHjD2JsvAo7Uy7hzNxIE0cQxMdWeS5NYTceEF0"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-ahxenNo4AzQFM7UH_VUVl6aHjD2JsvAo7Uy7hzNxIE0cQxMdWeS5NYTceEF0\"}"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:default:tester-regular-user\"}"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"71ebc425-93cc-4da5-8542-325f287108a2","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71ebc425-93cc-4da5-8542-325f287108a2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:default,system:authenticated","keyId":"f6c6f456-5828-4138-898f-1a69295a3095","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:default:tester-regular-user"}} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"71ebc425-93cc-4da5-8542-325f287108a2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"71ebc425-93cc-4da5-8542-325f287108a2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35740","PortSpecifier":{"PortValue":35740}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35740","PortSpecifier":{"PortValue":35740}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":892691706},"http":{"id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ba3109b1-d04d-4177-8b9a-e8325a7c4bb4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35756","PortSpecifier":{"PortValue":35756}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35756","PortSpecifier":{"PortValue":35756}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":929670880},"http":{"id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c726218c-6f4e-42ff-a565-306a0cad0ce1","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35758","PortSpecifier":{"PortValue":35758}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35758","PortSpecifier":{"PortValue":35758}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":963765464},"http":{"id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bec00357-67b0-4f83-8ef6-99c97c6ed919","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35766","PortSpecifier":{"PortValue":35766}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","method":"DELETE","path":"/maas-api/v1/api-keys/57166a0d-efa2-41c6-94db-bf1d2d9d9136","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35766","PortSpecifier":{"PortValue":35766}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491476,"nanos":998262263},"http":{"id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/57166a0d-efa2-41c6-94db-bf1d2d9d9136",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/57166a0d-efa2-41c6-94db-bf1d2d9d9136",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bcb004f2-e1b7-4f31-8448-2ca38991a82f","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35772","PortSpecifier":{"PortValue":35772}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","method":"DELETE","path":"/maas-api/v1/api-keys/0b69e6af-44ec-49f2-bcc4-cca9c301fd36","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35772","PortSpecifier":{"PortValue":35772}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":34329039},"http":{"id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/0b69e6af-44ec-49f2-bcc4-cca9c301fd36",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/0b69e6af-44ec-49f2-bcc4-cca9c301fd36",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86ee650d-46e3-4f4c-ba28-6904fce5011e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35788","PortSpecifier":{"PortValue":35788}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","method":"DELETE","path":"/maas-api/v1/api-keys/a95a3d51-481f-4d8c-a6f8-7447954fe05a","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35788","PortSpecifier":{"PortValue":35788}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":68025191},"http":{"id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/a95a3d51-481f-4d8c-a6f8-7447954fe05a",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/a95a3d51-481f-4d8c-a6f8-7447954fe05a",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b7ca6ae8-0469-4031-bd23-cf1a4d4a79fe","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35800","PortSpecifier":{"PortValue":35800}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35800","PortSpecifier":{"PortValue":35800}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":110096354},"http":{"id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b78bfd5f-37dd-40b4-ae65-14eaa9fc1f32","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35806","PortSpecifier":{"PortValue":35806}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35806","PortSpecifier":{"PortValue":35806}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":144794081},"http":{"id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a8c1b1eb-8333-400c-955b-27fc5d01b83f","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35820","PortSpecifier":{"PortValue":35820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35820","PortSpecifier":{"PortValue":35820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":180731335},"http":{"id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cbcdf8ee-59a6-4bc4-8f78-be714f57bc01","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35832","PortSpecifier":{"PortValue":35832}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f08c1770-9ce6-40cf-85b9-e267c041605d","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/completions","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35832","PortSpecifier":{"PortValue":35832}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":217837316},"http":{"id":"f08c1770-9ce6-40cf-85b9-e267c041605d","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18QlkPJoSZgfHdO7x_WN6S12JeYeVaOlKPuZYqxIrhJPIzyBx4DM8UYqaDuwp"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18QlkPJoSZgfHdO7x_WN6S12JeYeVaOlKPuZYqxIrhJPIzyBx4DM8UYqaDuwp\"}"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:default:tester-regular-user\"}"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:default,system:authenticated","keyId":"c47c2b00-5f37-4fca-b597-80d3c23c4a97","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:default:tester-regular-user"}} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f08c1770-9ce6-40cf-85b9-e267c041605d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f751b5a8-46f7-4f80-b036-abb430900608","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35842","PortSpecifier":{"PortValue":35842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f751b5a8-46f7-4f80-b036-abb430900608","method":"DELETE","path":"/maas-api/v1/api-keys/c47c2b00-5f37-4fca-b597-80d3c23c4a97","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f751b5a8-46f7-4f80-b036-abb430900608","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35842","PortSpecifier":{"PortValue":35842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":249848583},"http":{"id":"f751b5a8-46f7-4f80-b036-abb430900608","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c47c2b00-5f37-4fca-b597-80d3c23c4a97",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"f751b5a8-46f7-4f80-b036-abb430900608","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f751b5a8-46f7-4f80-b036-abb430900608","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c47c2b00-5f37-4fca-b597-80d3c23c4a97",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f751b5a8-46f7-4f80-b036-abb430900608","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f751b5a8-46f7-4f80-b036-abb430900608","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f751b5a8-46f7-4f80-b036-abb430900608","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35844","PortSpecifier":{"PortValue":35844}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","method":"DELETE","path":"/maas-api/v1/api-keys/25c9c503-917a-490e-bee7-424d3d9249e2","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35844","PortSpecifier":{"PortValue":35844}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":284228719},"http":{"id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/25c9c503-917a-490e-bee7-424d3d9249e2",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/25c9c503-917a-490e-bee7-424d3d9249e2",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1f7f180a-9a05-48d9-aba9-f8e91b662eb0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f8e34338-0082-4774-afec-da03b1b6b042","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35856","PortSpecifier":{"PortValue":35856}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f8e34338-0082-4774-afec-da03b1b6b042","method":"DELETE","path":"/maas-api/v1/api-keys/cd526006-79f3-45fb-b3d6-e83f7760f830","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f8e34338-0082-4774-afec-da03b1b6b042","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35856","PortSpecifier":{"PortValue":35856}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":326665364},"http":{"id":"f8e34338-0082-4774-afec-da03b1b6b042","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cd526006-79f3-45fb-b3d6-e83f7760f830",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"f8e34338-0082-4774-afec-da03b1b6b042","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f8e34338-0082-4774-afec-da03b1b6b042","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cd526006-79f3-45fb-b3d6-e83f7760f830",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8e34338-0082-4774-afec-da03b1b6b042","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f8e34338-0082-4774-afec-da03b1b6b042","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f8e34338-0082-4774-afec-da03b1b6b042","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"309a23b5-b566-41ac-8128-e335499d17c5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35866","PortSpecifier":{"PortValue":35866}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"309a23b5-b566-41ac-8128-e335499d17c5","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/completions","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"309a23b5-b566-41ac-8128-e335499d17c5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35866","PortSpecifier":{"PortValue":35866}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":362869720},"http":{"id":"309a23b5-b566-41ac-8128-e335499d17c5","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"309a23b5-b566-41ac-8128-e335499d17c5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18QlkPJoSZgfHdO7x_WN6S12JeYeVaOlKPuZYqxIrhJPIzyBx4DM8UYqaDuwp"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"309a23b5-b566-41ac-8128-e335499d17c5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18QlkPJoSZgfHdO7x_WN6S12JeYeVaOlKPuZYqxIrhJPIzyBx4DM8UYqaDuwp\"}"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"309a23b5-b566-41ac-8128-e335499d17c5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"cannot fetch metadata","request id":"309a23b5-b566-41ac-8128-e335499d17c5","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"reason":"no such key: groups"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"309a23b5-b566-41ac-8128-e335499d17c5","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"309a23b5-b566-41ac-8128-e335499d17c5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"309a23b5-b566-41ac-8128-e335499d17c5","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"309a23b5-b566-41ac-8128-e335499d17c5","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"efda0307-4638-4159-a548-1d57e063f082","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35878","PortSpecifier":{"PortValue":35878}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"efda0307-4638-4159-a548-1d57e063f082","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/completions","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"efda0307-4638-4159-a548-1d57e063f082","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35878","PortSpecifier":{"PortValue":35878}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":391485801},"http":{"id":"efda0307-4638-4159-a548-1d57e063f082","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"efda0307-4638-4159-a548-1d57e063f082","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-7AZqrj6D0CISR90Z_UmAjPdbgocvvRKWbSLel3LiyHEyXsQjVLApZGyVBJWU"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"efda0307-4638-4159-a548-1d57e063f082","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-7AZqrj6D0CISR90Z_UmAjPdbgocvvRKWbSLel3LiyHEyXsQjVLApZGyVBJWU\"}"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"efda0307-4638-4159-a548-1d57e063f082","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"cannot fetch metadata","request id":"efda0307-4638-4159-a548-1d57e063f082","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"reason":"no such key: groups"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"efda0307-4638-4159-a548-1d57e063f082","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"efda0307-4638-4159-a548-1d57e063f082","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"efda0307-4638-4159-a548-1d57e063f082","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"efda0307-4638-4159-a548-1d57e063f082","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35886","PortSpecifier":{"PortValue":35886}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/completions","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35886","PortSpecifier":{"PortValue":35886}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":420894232},"http":{"id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-dfCWjQuGWxCHIKbE_Z9BzKvYuXfKgMkjJ6Yt8LAbZAfbQC7T1MmUDqSj63RX"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-dfCWjQuGWxCHIKbE_Z9BzKvYuXfKgMkjJ6Yt8LAbZAfbQC7T1MmUDqSj63RX\"}"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"cannot fetch metadata","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"reason":"no such key: groups"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bdd05165-3cb0-4082-ac0c-b6e29d0ab8db","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35900","PortSpecifier":{"PortValue":35900}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35900","PortSpecifier":{"PortValue":35900}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":686828652},"http":{"id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5389ce89-f5cb-472c-ad96-c4a607aca1d8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35902","PortSpecifier":{"PortValue":35902}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","method":"POST","path":"/maas-api/v1/api-keys/search","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35902","PortSpecifier":{"PortValue":35902}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":724692911},"http":{"id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys/search",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys/search",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a696df6b-4ff0-4666-9e3d-a6afcb57efa0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35906","PortSpecifier":{"PortValue":35906}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","method":"POST","path":"/maas-api/v1/api-keys/search","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35906","PortSpecifier":{"PortValue":35906}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":764257780},"http":{"id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys/search",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys/search",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"94e5b2df-c85c-4748-8ba5-cdd4469eb588","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35912","PortSpecifier":{"PortValue":35912}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35912","PortSpecifier":{"PortValue":35912}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491477,"nanos":812597363},"http":{"id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6182d37c-a881-47b8-a4c2-8d7ce54c8ce3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35920","PortSpecifier":{"PortValue":35920}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","method":"GET","path":"/maas-api/v1/api-keys/55df4a94-b061-414e-9395-90b7c062889d","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35920","PortSpecifier":{"PortValue":35920}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491478,"nanos":335307867},"http":{"id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","method":"GET","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/api-keys/55df4a94-b061-414e-9395-90b7c062889d",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/api-keys/55df4a94-b061-414e-9395-90b7c062889d",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:38Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"87d2faa2-7139-43bf-b99f-f2d8fa90d3e9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35930","PortSpecifier":{"PortValue":35930}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:35930","PortSpecifier":{"PortValue":35930}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491479,"nanos":98209020},"http":{"id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-apikey-active-sa","uid":"1b32e2f1-4cdb-457b-8543-4adb05665120","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=863f29a0-35a6-4d85-98f5-9b5755cd55e7"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=863f29a0-35a6-4d85-98f5-9b5755cd55e7"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"1b32e2f1-4cdb-457b-8543-4adb05665120","username":"system:serviceaccount:llm:e2e-apikey-active-sa"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-apikey-active-sa"} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e5d87d9b-1919-4136-ae7e-53d9c38adfd3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:44:40Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:44:40Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:44:40Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:44:40Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:44:40Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:44:40Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:44:40Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:44:40Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:44:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:44:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:44:50Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"error","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:44:50Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"info","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50820","PortSpecifier":{"PortValue":50820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50820","PortSpecifier":{"PortValue":50820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491498,"nanos":286697482},"http":{"id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-apikey-degraded-sa","uid":"3b57784a-423d-4aff-9e65-d15699a9efec","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=db389f3c-7ee1-4ee1-a30a-1f4a3abb3929"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=db389f3c-7ee1-4ee1-a30a-1f4a3abb3929"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"3b57784a-423d-4aff-9e65-d15699a9efec","username":"system:serviceaccount:llm:e2e-apikey-degraded-sa"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-apikey-degraded-sa\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-apikey-degraded-sa"} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:44:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"34a22de3-0a5f-4a62-bc9c-a203ae49108e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:08Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:08Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:08Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:08Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:08Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:08Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:08Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:08Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:08Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"error","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:09Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"error","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"info","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:56662","PortSpecifier":{"PortValue":56662}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:56662","PortSpecifier":{"PortValue":56662}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491517,"nanos":639264354},"http":{"id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-apikey-failed-sa","uid":"5316a27a-53dd-4239-9ef2-7e1eda7acf37","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=b43aa9c3-0c93-4174-8328-05afcdd46926"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=b43aa9c3-0c93-4174-8328-05afcdd46926"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"5316a27a-53dd-4239-9ef2-7e1eda7acf37","username":"system:serviceaccount:llm:e2e-apikey-failed-sa"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-apikey-failed-sa\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-apikey-failed-sa"} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:45:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bb22a717-d715-442b-b681-5e9cb0eaabf7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:27Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:27Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:27Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:27Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:27Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:27Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:27Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:27Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:45:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"error","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:45:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:45:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"info","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:52318","PortSpecifier":{"PortValue":52318}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:52318","PortSpecifier":{"PortValue":52318}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491536,"nanos":941376286},"http":{"id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-apikey-pending-sa","uid":"13c8b1b2-9df5-4a60-840d-ee7317299db5","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=76be710d-2b08-4e0c-bbd5-741e0058d16a"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=76be710d-2b08-4e0c-bbd5-741e0058d16a"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"13c8b1b2-9df5-4a60-840d-ee7317299db5","username":"system:serviceaccount:llm:e2e-apikey-pending-sa"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-apikey-pending-sa\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-apikey-pending-sa"} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:45:36Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6d472e8e-bc7e-4540-82d3-07cbb065cdab","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:45532","PortSpecifier":{"PortValue":45532}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:45532","PortSpecifier":{"PortValue":45532}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491547,"nanos":156689081},"http":{"id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-apikey-unreconciled-sa","uid":"449780d4-2627-456e-9847-16ff8140c9ca","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=4d097d6f-b3cd-4c8b-abe7-ca73adb87038"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=4d097d6f-b3cd-4c8b-abe7-ca73adb87038"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"449780d4-2627-456e-9847-16ff8140c9ca","username":"system:serviceaccount:llm:e2e-apikey-unreconciled-sa"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-apikey-pending-sa\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-apikey-unreconciled-sa"} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:45:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e6dc93b1-5b26-4a0f-8b7b-6cff324b9298","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:09Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:09Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:09Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:09Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:09Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:09Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:09Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:10Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"info","ts":"2026-06-15T02:46:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47094","PortSpecifier":{"PortValue":47094}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47094","PortSpecifier":{"PortValue":47094}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491570,"nanos":988333843},"http":{"id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c","uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ae82f18b-992c-465d-80f8-034c9f2a5ab9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47102","PortSpecifier":{"PortValue":47102}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47102","PortSpecifier":{"PortValue":47102}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491571,"nanos":27171063},"http":{"id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c","uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f5a04aa6-9e4d-4f70-a51d-358f493aa8c9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47114","PortSpecifier":{"PortValue":47114}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47114","PortSpecifier":{"PortValue":47114}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491571,"nanos":64940410},"http":{"id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c","uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5c43d8f7-13f2-472d-b0e0-c75ff68b07fa","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47128","PortSpecifier":{"PortValue":47128}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","method":"POST","path":"/maas-api/v1/api-keys/search","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47128","PortSpecifier":{"PortValue":47128}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491571,"nanos":104939391},"http":{"id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys/search",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c","uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys/search",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4345bd90-20c4-4bb2-9eb8-fd00b6c3af7e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47140","PortSpecifier":{"PortValue":47140}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","method":"DELETE","path":"/maas-api/v1/api-keys/b7b218e3-d8a7-4752-881d-2d24083d6937","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47140","PortSpecifier":{"PortValue":47140}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491571,"nanos":144664693},"http":{"id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/b7b218e3-d8a7-4752-881d-2d24083d6937",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c","uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/b7b218e3-d8a7-4752-881d-2d24083d6937",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8d00392f-3fdb-41ae-b841-0f06a5c14c82","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47150","PortSpecifier":{"PortValue":47150}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"63e5af37-7766-407f-8fd4-00c27a57dcba","method":"DELETE","path":"/maas-api/v1/api-keys/9cdce1db-e673-476a-a46c-a05613ba3b69","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47150","PortSpecifier":{"PortValue":47150}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491571,"nanos":184240214},"http":{"id":"63e5af37-7766-407f-8fd4-00c27a57dcba","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/9cdce1db-e673-476a-a46c-a05613ba3b69",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c","uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/9cdce1db-e673-476a-a46c-a05613ba3b69",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"63e5af37-7766-407f-8fd4-00c27a57dcba","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47152","PortSpecifier":{"PortValue":47152}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","method":"DELETE","path":"/maas-api/v1/api-keys/f8c8b055-2140-4107-a3ea-eee7ecbed50f","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:47152","PortSpecifier":{"PortValue":47152}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491571,"nanos":221460790},"http":{"id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f8c8b055-2140-4107-a3ea-eee7ecbed50f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c","uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=89682fe8-9a19-4dd3-a90a-5b5a49a37051"]},"groups":["system:serviceaccounts","system:serviceaccounts:llm","system:authenticated"],"uid":"7e5e24a8-4f6d-445a-8c80-eaecdb5b2906","username":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f8c8b055-2140-4107-a3ea-eee7ecbed50f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:llm:e2e-filter-sa-18110d9c"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:llm\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9a089cad-dc9a-417e-adc0-e4cce6ca4304","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34250","PortSpecifier":{"PortValue":34250}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34250","PortSpecifier":{"PortValue":34250}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491580,"nanos":252265411},"http":{"id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e9f76431-1d53-4de8-9c90-a15e094c0de8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34254","PortSpecifier":{"PortValue":34254}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cbd35961-c33c-402e-a64c-6944e6e6a424","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34254","PortSpecifier":{"PortValue":34254}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491580,"nanos":287732059},"http":{"id":"cbd35961-c33c-402e-a64c-6944e6e6a424","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cbd35961-c33c-402e-a64c-6944e6e6a424","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34270","PortSpecifier":{"PortValue":34270}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4c482599-0808-4d5d-89ab-95624c73e2bb","method":"POST","path":"/maas-api/v1/api-keys/search","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34270","PortSpecifier":{"PortValue":34270}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491580,"nanos":326855943},"http":{"id":"4c482599-0808-4d5d-89ab-95624c73e2bb","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys/search",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys/search",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4c482599-0808-4d5d-89ab-95624c73e2bb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34284","PortSpecifier":{"PortValue":34284}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2dbfd578-d502-42e4-b233-8040d22f4976","method":"DELETE","path":"/maas-api/v1/api-keys/abe971aa-0875-42bc-a077-6b7a53d9a5d9","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34284","PortSpecifier":{"PortValue":34284}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491580,"nanos":367190935},"http":{"id":"2dbfd578-d502-42e4-b233-8040d22f4976","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/abe971aa-0875-42bc-a077-6b7a53d9a5d9",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/abe971aa-0875-42bc-a077-6b7a53d9a5d9",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2dbfd578-d502-42e4-b233-8040d22f4976","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34292","PortSpecifier":{"PortValue":34292}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","method":"DELETE","path":"/maas-api/v1/api-keys/3246a84c-01ae-46d5-b95b-d2ce12515190","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34292","PortSpecifier":{"PortValue":34292}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491580,"nanos":408744471},"http":{"id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/3246a84c-01ae-46d5-b95b-d2ce12515190",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/3246a84c-01ae-46d5-b95b-d2ce12515190",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"01cd4dac-8167-45b5-be8a-46957d0a87d6","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34300","PortSpecifier":{"PortValue":34300}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34300","PortSpecifier":{"PortValue":34300}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491580,"nanos":450749378},"http":{"id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8c22a2ad-e1ee-47c3-b289-66118b1c96e6","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"811082aa-5e6c-43da-a150-b12544846b6e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34302","PortSpecifier":{"PortValue":34302}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"811082aa-5e6c-43da-a150-b12544846b6e","method":"POST","path":"/maas-api/internal/v1/subscriptions/select","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"811082aa-5e6c-43da-a150-b12544846b6e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:34302","PortSpecifier":{"PortValue":34302}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491580,"nanos":730972239},"http":{"id":"811082aa-5e6c-43da-a150-b12544846b6e","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/internal/v1/subscriptions/select",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-14MZYmIVrUzyKbmqW_P39KzOeGLUnI6R1fLh5Yj1DGzbLetvRyJ2l1LiqmKIW"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-14MZYmIVrUzyKbmqW_P39KzOeGLUnI6R1fLh5Yj1DGzbLetvRyJ2l1LiqmKIW\"}"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"811082aa-5e6c-43da-a150-b12544846b6e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"811082aa-5e6c-43da-a150-b12544846b6e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"811082aa-5e6c-43da-a150-b12544846b6e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"811082aa-5e6c-43da-a150-b12544846b6e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:55300","PortSpecifier":{"PortValue":55300}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","method":"POST","path":"/maas-api/internal/v1/subscriptions/select","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:55300","PortSpecifier":{"PortValue":55300}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491597,"nanos":375781327},"http":{"id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/internal/v1/subscriptions/select",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-14MZYmIVrUzyKbmqW_P39KzOeGLUnI6R1fLh5Yj1DGzbLetvRyJ2l1LiqmKIW"} {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-14MZYmIVrUzyKbmqW_P39KzOeGLUnI6R1fLh5Yj1DGzbLetvRyJ2l1LiqmKIW\"}"} {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":[\"system:serviceaccount:llm:e2e-filter-sa-18110d9c\"],\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:37Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"472b330f-600e-4ef1-8970-7eae6b86bbb2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:46:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-15T02:46:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:46:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Unknown"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Unknown"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:47:58Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8"} {"level":"debug","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:47:58Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"info","ts":"2026-06-15T02:48:14Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"} {"level":"info","ts":"2026-06-15T02:48:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"info","ts":"2026-06-15T02:48:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/4761bb47d376cdd951bd336dd5e30f689e03a33dca3233d4b4c97f7eedcb70a8"} {"level":"info","ts":"2026-06-15T02:48:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/181d83bb1b3868f6e3b0aded2fe834b1e4f117dfd73610dfd289ae2e481219ec"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Unknown"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Unknown"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"error","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:29Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"debug","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e"} {"level":"info","ts":"2026-06-15T02:48:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3f34e23a13aee8203a92ce38884671a017682f89eeb9460bae376efb811ceee2"} {"level":"info","ts":"2026-06-15T02:48:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/47955481b24b6eced0b56fd4a1a6fb0f69177d1a652acbf9ffa86cfc13fa1c79"} {"level":"info","ts":"2026-06-15T02:48:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/bfd6c141375f96ba0f615a9e7c140b2588a47e69040cfe20a148f87cd43e85c9"} {"level":"info","ts":"2026-06-15T02:48:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/b30e859c910f05bef733f3c6c8687e05b612e1194d07f752c93892595577cd6e"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50364","PortSpecifier":{"PortValue":50364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a291a26e-d823-4af1-8e06-352ed698bcff","method":"DELETE","path":"/maas-api/v1/api-keys/8c7efa80-199f-455e-99fc-a9e4c0a2f3e4","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50364","PortSpecifier":{"PortValue":50364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491738,"nanos":458375099},"http":{"id":"a291a26e-d823-4af1-8e06-352ed698bcff","method":"DELETE","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/8c7efa80-199f-455e-99fc-a9e4c0a2f3e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/8c7efa80-199f-455e-99fc-a9e4c0a2f3e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a291a26e-d823-4af1-8e06-352ed698bcff","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50380","PortSpecifier":{"PortValue":50380}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50380","PortSpecifier":{"PortValue":50380}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491738,"nanos":524695003},"http":{"id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d73e0137-1ad7-45fa-9c43-3c12eefb3e66","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50386","PortSpecifier":{"PortValue":50386}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50386","PortSpecifier":{"PortValue":50386}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491738,"nanos":581789005},"http":{"id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d0dc6aaa-5ecf-4a8f-b5ae-077f1b08f9ce","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50400","PortSpecifier":{"PortValue":50400}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50400","PortSpecifier":{"PortValue":50400}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491738,"nanos":637399600},"http":{"id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"228b1c3b-c65a-4dfd-92af-243ccc535b57","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50416","PortSpecifier":{"PortValue":50416}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50416","PortSpecifier":{"PortValue":50416}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491738,"nanos":675556902},"http":{"id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:48:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b3fee861-0329-42cd-82fc-fad7a0dc730a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:48:59Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"error","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:48:59Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T02:49:00Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"error","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-15T02:49:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"info","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50420","PortSpecifier":{"PortValue":50420}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"014b3003-3e20-49ba-a403-f4a2a027be39","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.16:50420","PortSpecifier":{"PortValue":50420}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.35:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781491741,"nanos":477188227},"http":{"id":"014b3003-3e20-49ba-a403-f4a2a027be39","method":"POST","headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"]}} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/42269ff05002"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=3a22f22f-874c-4956-b85d-5b49cbe4a08e"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"01e48b98-e0f3-4ea3-a917-c11eb509cb35","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.35:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.60a4cd83-e96d-478e-9d2f-42269ff05002.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/e2e-unconfigured-facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-15T02:49:01Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"014b3003-3e20-49ba-a403-f4a2a027be39","authorized":true,"response":"OK"}