name\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:27:06Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:27:06Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:29:35.963Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T15:05:01Z","generation":63,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:22Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:29:27Z"}],"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system","resourceVersion":"49675","uid":"2a7bd2dd-c616-468e-8718-2282841db56d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-distinct-2-simulated\":{\"users\":[\"system:serviceaccount:default:e2e-sa-multi-subs-with-header\"],\"groups\":null},\"llm/e2e-distinct-simulated\":{\"users\":[\"system:serviceaccount:default:e2e-sa-multi-subs-with-header\"],\"groups\":null},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:22Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:22Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:29:35.972Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"redhat-ai-gateway-infra/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:redhat-ai-gateway-infra/maas-api-route#rule-1"},"creationTimestamp":"2026-06-11T15:04:01Z","generation":63,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:22Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:29:27Z"}],"name":"64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a","namespace":"kuadrant-system","resourceVersion":"49658","uid":"118ee623-5ad8-48cb-933d-f46dc1b65a6a"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-distinct-2-simulated\":{\"users\":[\"system:serviceaccount:default:e2e-sa-multi-subs-with-header\"],\"groups\":null},\"llm/e2e-distinct-simulated\":{\"users\":[\"system:serviceaccount:default:e2e-sa-multi-subs-with-header\"],\"groups\":null},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:22Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:22Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:29:35.980Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T15:04:16Z","generation":63,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:28:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:29:27Z"}],"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system","resourceVersion":"49679","uid":"0e93ac3a-fc70-4137-96b9-b899981d7265"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-distinct-2-simulated\":{\"users\":[\"system:serviceaccount:default:e2e-sa-multi-subs-with-header\"],\"groups\":null},\"llm/e2e-distinct-simulated\":{\"users\":[\"system:serviceaccount:default:e2e-sa-multi-subs-with-header\"],\"groups\":null},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:28:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:28:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:29:35.987Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-facebook-opt-125m-simulated","namespace":"llm","uid":"dae6ac11-6ae7-4d98-aade-387536a772c4","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-facebook-opt-125m-simulated\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:29:35.994Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:29:36.044Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-e2e-distinct-simulated","namespace":"llm","uid":"400d63e1-9abf-41ba-a176-7db5aa207aff","error":"tokenratelimitpolicies.kuadrant.io \"maas-trlp-e2e-distinct-simulated\" not found"}
{"level":"error","ts":"2026-06-11T15:29:36.140Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-premium-simulated-simulated-premium","namespace":"llm","uid":"c0f9dadb-f62c-4f70-934f-f8f64dfe0bc5","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-premium-simulated-simulated-premium\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:29:36.147Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-e2e-distinct-2-simulated","namespace":"llm","uid":"3a580515-a605-4d23-9565-9483a91cd153","error":"tokenratelimitpolicies.kuadrant.io \"maas-trlp-e2e-distinct-2-simulated\" not found"}
{"level":"error","ts":"2026-06-11T15:29:36.160Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-distinct-simulated-kserve-route","namespace":"llm","uid":"dacddfd6-46ae-4bdc-a004-6c0488485a44","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-distinct-simulated-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:29:36.258Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-distinct-2-simulated-kserve-route","namespace":"llm","uid":"32bcbb64-505b-4040-a0ba-099e9a70b50b","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-distinct-2-simulated-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:29:37.242Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","WasmPlugin","AuthPolicy","HTTPRoute","TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"delete":2,"update":35}}
{"level":"info","ts":"2026-06-11T15:29:37.252Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:37.253Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:29:37.440Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:29:37.440Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:37.448Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:37.540Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:37.544Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:29:37.545Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:37.545Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"error","ts":"2026-06-11T15:29:37.551Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:29:37.551Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:37.643Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:37.941Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:37.951Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:39.150Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","WasmPlugin","HTTPRoute","Limitador","AuthPolicy"],"eventTypes":{"update":6}}
{"level":"info","ts":"2026-06-11T15:29:39.160Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:39.250Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:29:39.346Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:29:39.346Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:39.440Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:39.440Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:39.445Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:39.542Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:39.546Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:39.740Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:29:39.841Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:40.557Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:40.648Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:41.847Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","AuthPolicy","Limitador","ConfigMap"],"eventTypes":{"update":30}}
{"level":"info","ts":"2026-06-11T15:29:41.857Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:41.859Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:29:41.946Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:29:41.946Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:41.949Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:41.951Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:29:41.951Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:42.040Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:42.040Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:42.042Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:42.048Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:42.461Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:42.546Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:43.142Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","AuthPolicy","Limitador","ConfigMap"],"eventTypes":{"update":5}}
{"level":"info","ts":"2026-06-11T15:29:43.152Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:43.154Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:29:43.243Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:29:43.243Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:43.248Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:43.340Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:43.344Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:29:43.344Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:43.340Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:43.344Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:43.347Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:43.855Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:43.947Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:45.352Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","ConfigMap"],"eventTypes":{"update":2}}
{"level":"info","ts":"2026-06-11T15:29:45.540Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:45.540Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:45.545Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:47.643Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","AuthPolicy","ConfigMap"],"eventTypes":{"update":29}}
{"level":"info","ts":"2026-06-11T15:29:47.744Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:47.745Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:47.745Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:53.541Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","ConfigMap","AuthPolicy"],"eventTypes":{"create":1,"update":2}}
{"level":"info","ts":"2026-06-11T15:29:53.847Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:53.851Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:53.851Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:53.940Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:53.945Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:29:53.954Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:55.447Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy","HTTPRoute","WasmPlugin","Limitador"],"eventTypes":{"update":7}}
{"level":"info","ts":"2026-06-11T15:29:55.456Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:55.546Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:29:55.745Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:55.749Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:55.750Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:29:55.750Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:55.840Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:55.840Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:55.944Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:55.944Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:29:55.944Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:56.255Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:56.443Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:56.860Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"update":5}}
{"level":"info","ts":"2026-06-11T15:29:56.869Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:56.946Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:29:57.042Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:29:57.042Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:57.141Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:57.145Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:29:57.145Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:57.145Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:57.145Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:29:57.243Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:29:57.465Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:29:57.542Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:02.462Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy"],"eventTypes":{"delete":1,"update":1}}
{"level":"info","ts":"2026-06-11T15:30:02.560Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:02.560Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:02.640Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:02.642Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:30:02.742Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:04.145Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","WasmPlugin","TokenRateLimitPolicy","AuthPolicy","Limitador","HTTPRoute"],"eventTypes":{"update":7}}
{"level":"info","ts":"2026-06-11T15:30:04.244Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:04.246Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:04.341Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:04.341Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:04.352Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:04.440Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:04.440Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:04.445Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:04.448Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:04.448Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:04.452Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:05.561Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:05.647Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:06.744Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","TokenRateLimitPolicy","ConfigMap","Limitador","AuthPolicy"],"eventTypes":{"update":32}}
{"level":"info","ts":"2026-06-11T15:30:06.755Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:06.757Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:06.843Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:06.843Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:06.848Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:06.852Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:06.852Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:06.940Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:06.942Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:06.942Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:06.944Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:07.357Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:07.442Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:11.842Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","HTTPRoute","ConfigMap","Gateway"],"eventTypes":{"create":1,"update":3}}
{"level":"info","ts":"2026-06-11T15:30:11.948Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:11.950Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:11.950Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:12.040Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:12.043Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:30:12.044Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:12.053Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:13.357Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:13.443Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:13.543Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","TokenRateLimitPolicy"],"eventTypes":{"create":1,"update":1}}
{"level":"info","ts":"2026-06-11T15:30:13.847Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:13.847Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:13.851Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:30:13.940Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:13.940Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"error","ts":"2026-06-11T15:30:13.943Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:30:13.943Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"error","ts":"2026-06-11T15:30:13.943Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T15:04:33Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:14Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system","resourceVersion":"50451","uid":"d696f2c4-06d6-4610-a60a-329dc2bf84ba"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:13.952Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T15:04:25Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:27:49Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system","resourceVersion":"50430","uid":"2fc6ce15-4ff3-4c19-83ee-5f13f9342899"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:27:49Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:27:49Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.049Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T15:04:16Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:30:04Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system","resourceVersion":"50409","uid":"a81aa45f-833b-4fde-a8f6-5166f487621a"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:30:04Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:30:04Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.059Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T15:05:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:26:09Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system","resourceVersion":"50454","uid":"a4e64330-cac5-4cff-be2c-66e8adca6362"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:26:09Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:26:09Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.149Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T15:04:25Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:27:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system","resourceVersion":"50424","uid":"af35bc00-99df-48d1-80fb-5ce0c9f17b5d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:27:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:27:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.157Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T15:04:16Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:28:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system","resourceVersion":"50423","uid":"0e93ac3a-fc70-4137-96b9-b899981d7265"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:28:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:28:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.248Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T15:05:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:22Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system","resourceVersion":"50419","uid":"2a7bd2dd-c616-468e-8718-2282841db56d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:22Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:22Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.256Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"redhat-ai-gateway-infra/maas-api-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:redhat-ai-gateway-infra/maas-api-route#rule-2"},"creationTimestamp":"2026-06-11T15:04:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:28:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","namespace":"kuadrant-system","resourceVersion":"50435","uid":"032e05d3-065e-4cf1-afd4-033040316828"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:28:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:28:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.257Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-11T15:03:09Z","generation":201,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"f63b4dca-3702-4f9e-a178-bae025841022\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:02Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"f63b4dca-3702-4f9e-a178-bae025841022"}],"resourceVersion":"50378","uid":"f478ea67-c664-4937-a580-b4f1c1aafd02"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d3e90399ff57f96121193274698488b8ca62d01a2426bba36e14aeedaf018fac","routeRuleConditions":{"hostnames":["keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"bb22e883980a995d5381ec6dc068eac7dad6f44ad8c6c494bac8d0db9e9c5f06","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"d6a603a23a707d5ecfe0c23a03ae7cb2d64110e9c11b50e0b3dde829d2f55ff5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"4a34c3f151697e84771d86a0b439e98df2ae85d6df00ad199643ca39bc386d02","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"ae28cf21965c95af7482715f2e1e23d83fa238c0e2649c5166c873e33b10d543","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"a2c1bbd8109bc5cbf6f3b5429e278eaaacf98a35a57d014f1fd5783255cdf122","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"1271bf2a1fb72c512e7752f10847edbe9fef443c3d6e4783341d7aa721f423b0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"17c95243a9d9267db05df573212cf6769a2993b0f1d81c41c949e017251b7678","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"bbd718eb041215b024cc6391a723517d277cf6dafe222d110de0e5cf05c5a1d8","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_e2e_external_subscription_e2e_external_model_tokens__cfee5cf8","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/e2e-external-subscription@llm/e2e-external-model\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-e2e-external-model"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_e2e_external_subscription_e2e_external_model_tokens__cfee5cf8","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/e2e-external-subscription@llm/e2e-external-model\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-e2e-external-model"]}],"name":"4b77f64765a45c34fc0c46ec3eb3fefd5099ba53f484e065861ce52ebf0e58e3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-external-model')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"redhat-ai-gateway-infra/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"redhat-ai-gateway-infra/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"49395eecbc723bab3fe15d91a795375c74c85121e66fd8a85a2828cb848aab09","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"redhat-ai-gateway-infra/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"redhat-ai-gateway-infra/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"34173f2cf1a110c467e75701f004dc69fe3610a36fdccd0a9e4d6805e40c2fc2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_e2e_external_subscription_e2e_external_model_tokens__cfee5cf8","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/e2e-external-subscription@llm/e2e-external-model\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-e2e-external-model"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_e2e_external_subscription_e2e_external_model_tokens__cfee5cf8","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/e2e-external-subscription@llm/e2e-external-model\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-e2e-external-model"]}],"name":"2353fe625a0d4b76d877c4b87e1bf058d72d76bda7fbcbb6113dc93cea20b10f","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/')","request.headers.exists(h, h.lowerAscii() == 'x-gateway-model-name' && request.headers[h] == 'gpt-3.5-turbo')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.268Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-external-model","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-external-model#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11\" already exists"}
{"level":"error","ts":"2026-06-11T15:30:14.276Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T15:04:57Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:27:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system","resourceVersion":"50441","uid":"5ea52233-0cc9-49cf-9b90-593a5a4f0737"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:27:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:27:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.284Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T15:04:33Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:02Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system","resourceVersion":"50446","uid":"bbc52a84-b448-496e-a2fb-161b9f3156d4"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:02Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:02Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.348Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T15:05:07Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:25:32Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system","resourceVersion":"50426","uid":"8f6ea451-ef4e-4007-b0a0-5144ac7a860d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:25:32Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:25:32Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.356Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T15:04:16Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system","resourceVersion":"50453","uid":"3674d66a-4aac-4f14-a8de-41e11e802976"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:34Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:34Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.363Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T15:05:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:27Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system","resourceVersion":"50444","uid":"51769216-c5fa-4852-ad59-5eff19c78b4e"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:27Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:27Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.371Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T15:05:07Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system","resourceVersion":"50448","uid":"9d439797-e677-4573-a328-07e6be76db70"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:34Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:34Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.383Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-external-model","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-external-model#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0\" already exists"}
{"level":"error","ts":"2026-06-11T15:30:14.391Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T15:05:07Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:30:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system","resourceVersion":"50438","uid":"8b679a22-b1f5-4805-a5de-fe290dd789d2"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:30:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:30:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.399Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T15:04:57Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:26:40Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system","resourceVersion":"50450","uid":"3402958d-3997-4038-9194-8a4f504e1f2c"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:26:40Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:26:40Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.408Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T15:05:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:39Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system","resourceVersion":"50442","uid":"2f227298-adf6-471b-ae78-cfb2d7d7c4e3"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:39Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:39Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.416Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"redhat-ai-gateway-infra/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:redhat-ai-gateway-infra/maas-api-route#rule-1"},"creationTimestamp":"2026-06-11T15:04:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:45Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a","namespace":"kuadrant-system","resourceVersion":"50457","uid":"118ee623-5ad8-48cb-933d-f46dc1b65a6a"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:45Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:45Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.424Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T15:04:33Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:30:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system","resourceVersion":"50439","uid":"282730e5-dfc8-4026-8d2d-f20b7ec5dfa2"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:30:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:30:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.431Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T15:04:57Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:30:04Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system","resourceVersion":"50407","uid":"8aec395f-8a41-4fb7-a488-60ff2839110a"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:30:04Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:30:04Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.439Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T15:04:16Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:30:04Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system","resourceVersion":"50428","uid":"735cfd9b-7d86-4ec9-9317-149e68ec3edc"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:30:04Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:30:04Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.448Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T15:04:33Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:27Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system","resourceVersion":"50456","uid":"49242f0c-9aad-4d75-b2e6-fde67c6cb57b"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:27Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:27Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.458Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T15:04:25Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:30:04Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system","resourceVersion":"50413","uid":"f4ddd49a-5168-49d7-bb05-86209d86dd9f"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:30:04Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:30:04Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.469Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"keycloak-system/keycloak-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:keycloak-system/keycloak-route#rule-1"},"creationTimestamp":"2026-06-11T15:04:01Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:27Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:04Z"}],"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system","resourceVersion":"50429","uid":"4dcec688-a6fe-4965-9d29-08f2f48147fc"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:27Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:27Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.479Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T15:04:25Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:26:09Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system","resourceVersion":"50445","uid":"91763d06-acaa-4005-9ac3-507ceae9cd0d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:26:09Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:26:09Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.489Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T15:04:57Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:27:06Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system","resourceVersion":"50440","uid":"5dd98cca-2b96-42d8-8cf7-af55ef663374"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:27:06Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:27:06Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.499Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T15:05:07Z","generation":67,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T15:29:46Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:05Z"}],"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system","resourceVersion":"50437","uid":"f1785ce2-ee01-4f61-8418-41f1755a6db0"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T15:29:46Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T15:29:46Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.507Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-facebook-opt-125m-simulated","namespace":"llm","uid":"dae6ac11-6ae7-4d98-aade-387536a772c4","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-facebook-opt-125m-simulated\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.515Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.557Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-premium-simulated-simulated-premium","namespace":"llm","uid":"c0f9dadb-f62c-4f70-934f-f8f64dfe0bc5","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-premium-simulated-simulated-premium\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.562Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-e2e-external-model","namespace":"llm","uid":"1622ec12-4bdf-4595-9e3b-48c4d5940156","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-e2e-external-model\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:14.568Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-external-model","namespace":"llm","uid":"d3ae1852-b311-48c5-8245-4aff54a0541f","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-external-model\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:30:15.744Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","TokenRateLimitPolicy","AuthPolicy","ConfigMap","WasmPlugin","HTTPRoute","Limitador"],"eventTypes":{"create":2,"update":35}}
{"level":"info","ts":"2026-06-11T15:30:15.753Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:15.756Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:15.940Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:15.940Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:15.948Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:16.040Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:16.045Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:16.045Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:16.040Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:16.045Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:16.342Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:16.662Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"error","ts":"2026-06-11T15:30:16.745Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"maas-default-gateway","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:30:16.750Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:17.947Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","ConfigMap","HTTPRoute","Gateway","Limitador","AuthPolicy"],"eventTypes":{"create":1,"update":7}}
{"level":"info","ts":"2026-06-11T15:30:17.959Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:18.042Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:18.142Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:18.142Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:18.149Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:18.153Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:18.153Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:18.241Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:18.252Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:30:18.446Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:18.552Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:18.983Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:19.144Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:20.446Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","TokenRateLimitPolicy","AuthPolicy","AuthConfig","WasmPlugin","HTTPRoute","ConfigMap"],"eventTypes":{"create":2,"update":8}}
{"level":"info","ts":"2026-06-11T15:30:20.458Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:20.460Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:20.644Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:20.644Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:20.745Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:20.745Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:20.748Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:20.748Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:20.748Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:20.748Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:20.845Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:21.265Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:21.347Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:21.446Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig"],"eventTypes":{"update":1}}
{"level":"error","ts":"2026-06-11T15:30:21.755Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:30:22.351Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","TokenRateLimitPolicy","ConfigMap","AuthPolicy"],"eventTypes":{"update":6}}
{"level":"info","ts":"2026-06-11T15:30:22.366Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:22.447Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:22.641Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:22.641Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:22.649Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:22.740Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:22.743Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:22.743Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:22.740Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:22.743Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:22.745Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:23.361Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:23.448Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:41.644Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap","HTTPRoute"],"eventTypes":{"delete":1,"update":2}}
{"level":"info","ts":"2026-06-11T15:30:41.847Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:41.851Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:41.949Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:30:41.949Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:41.949Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:42.048Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:42.050Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:42.573Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:42.744Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:43.944Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","Limitador","WasmPlugin","ConfigMap","AuthConfig"],"eventTypes":{"delete":2,"update":6}}
{"level":"info","ts":"2026-06-11T15:30:43.954Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:43.956Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:44.043Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:44.043Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:44.044Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:44.044Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:44.140Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:44.144Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:44.145Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:44.145Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:44.679Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:44.744Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:45.354Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy","Limitador"],"eventTypes":{"update":5}}
{"level":"info","ts":"2026-06-11T15:30:45.364Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:45.442Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:45.540Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:45.540Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:45.542Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:45.545Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:45.545Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:45.545Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:45.545Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:45.549Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:45.948Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:45.958Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:53.952Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy"],"eventTypes":{"delete":1,"update":1}}
{"level":"info","ts":"2026-06-11T15:30:54.148Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:54.150Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:30:54.151Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:54.151Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:54.244Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:54.645Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","Gateway","HTTPRoute"],"eventTypes":{"delete":1,"update":2}}
{"level":"info","ts":"2026-06-11T15:30:54.842Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:54.845Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:54.848Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T15:30:54.848Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:54.848Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:54.942Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"error","ts":"2026-06-11T15:30:54.943Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:30:54.943Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"error","ts":"2026-06-11T15:30:55.346Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-11T15:03:09Z","generation":204,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"f63b4dca-3702-4f9e-a178-bae025841022\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-11T15:30:42Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"f63b4dca-3702-4f9e-a178-bae025841022"}],"resourceVersion":"51042","uid":"f478ea67-c664-4937-a580-b4f1c1aafd02"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d3e90399ff57f96121193274698488b8ca62d01a2426bba36e14aeedaf018fac","routeRuleConditions":{"hostnames":["keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"bb22e883980a995d5381ec6dc068eac7dad6f44ad8c6c494bac8d0db9e9c5f06","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"d6a603a23a707d5ecfe0c23a03ae7cb2d64110e9c11b50e0b3dde829d2f55ff5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"4a34c3f151697e84771d86a0b439e98df2ae85d6df00ad199643ca39bc386d02","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"ae28cf21965c95af7482715f2e1e23d83fa238c0e2649c5166c873e33b10d543","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"a2c1bbd8109bc5cbf6f3b5429e278eaaacf98a35a57d014f1fd5783255cdf122","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"1271bf2a1fb72c512e7752f10847edbe9fef443c3d6e4783341d7aa721f423b0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"17c95243a9d9267db05df573212cf6769a2993b0f1d81c41c949e017251b7678","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"bbd718eb041215b024cc6391a723517d277cf6dafe222d110de0e5cf05c5a1d8","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"redhat-ai-gateway-infra/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"redhat-ai-gateway-infra/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"49395eecbc723bab3fe15d91a795375c74c85121e66fd8a85a2828cb848aab09","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"redhat-ai-gateway-infra/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"redhat-ai-gateway-infra/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"34173f2cf1a110c467e75701f004dc69fe3610a36fdccd0a9e4d6805e40c2fc2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:56.047Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-premium-simulated-simulated-premium","namespace":"llm","uid":"c0f9dadb-f62c-4f70-934f-f8f64dfe0bc5","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-premium-simulated-simulated-premium\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:56.063Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-facebook-opt-125m-simulated","namespace":"llm","uid":"dae6ac11-6ae7-4d98-aade-387536a772c4","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-facebook-opt-125m-simulated\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:30:56.063Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:56.147Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:57.258Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","WasmPlugin","ConfigMap","AuthPolicy","TokenRateLimitPolicy","Limitador","Gateway"],"eventTypes":{"create":1,"delete":2,"update":33}}
{"level":"info","ts":"2026-06-11T15:30:57.351Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:57.353Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:30:57.444Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:30:57.444Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:57.447Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:57.554Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:57.644Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:57.644Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:57.647Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:57.647Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:57.742Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:57.949Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:58.043Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:58.245Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway"],"eventTypes":{"update":1}}
{"level":"info","ts":"2026-06-11T15:30:58.442Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:58.442Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:58.444Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:58.446Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:30:58.446Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:58.449Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:30:58.542Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"error","ts":"2026-06-11T15:30:58.755Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:58.758Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-premium-simulated-simulated-premium","namespace":"llm","uid":"c0f9dadb-f62c-4f70-934f-f8f64dfe0bc5","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-premium-simulated-simulated-premium\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T15:30:58.848Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-facebook-opt-125m-simulated","namespace":"llm","uid":"dae6ac11-6ae7-4d98-aade-387536a772c4","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-facebook-opt-125m-simulated\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:30:58.848Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:58.941Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:30:59.950Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Limitador","TokenRateLimitPolicy","AuthPolicy"],"eventTypes":{"update":5}}
{"level":"info","ts":"2026-06-11T15:30:59.959Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T15:30:59.961Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T15:31:00.140Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T15:31:00.140Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:00.245Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:00.245Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:00.245Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:00.340Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:00.342Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:31:00.342Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:00.344Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:00.559Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:00.643Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:00.668Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway"],"eventTypes":{"update":1}}
{"level":"info","ts":"2026-06-11T15:31:01.045Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:01.048Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:01.048Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:01.146Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:01.147Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:01.150Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:31:01.150Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:01.446Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:01.548Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:02.058Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"delete":1,"update":1}}
{"level":"info","ts":"2026-06-11T15:31:02.343Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:02.345Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:02.345Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:02.440Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:02.442Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:31:02.442Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:02.444Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:02.656Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:02.846Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:08.547Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"create":1,"update":1}}
{"level":"info","ts":"2026-06-11T15:31:08.748Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:08.750Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:08.750Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:08.846Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:08.848Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:31:08.849Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:08.942Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:09.248Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:09.343Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"error","ts":"2026-06-11T15:31:09.346Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-2966a24a","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-2966a24a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:31:09.354Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway"],"eventTypes":{"update":1}}
{"level":"info","ts":"2026-06-11T15:31:09.644Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:09.646Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:09.646Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:09.740Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:09.743Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:31:09.743Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:09.744Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:09.957Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:10.246Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"error","ts":"2026-06-11T15:31:10.340Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-2966a24a","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-2966a24a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:31:10.758Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap"],"eventTypes":{"update":2}}
{"level":"info","ts":"2026-06-11T15:31:11.045Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:11.047Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:11.047Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:11.144Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:11.144Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:11.146Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:31:11.146Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:11.367Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:11.546Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"error","ts":"2026-06-11T15:31:11.552Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-2966a24a","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-2966a24a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T15:31:12.146Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap"],"eventTypes":{"update":2}}
{"level":"info","ts":"2026-06-11T15:31:12.250Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:12.250Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:12.252Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:31:12.252Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:12.343Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:12.343Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:12.348Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:12.748Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:12.757Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:15.653Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"delete":1,"update":1}}
{"level":"info","ts":"2026-06-11T15:31:15.749Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:15.843Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:15.843Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:15.844Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:15.846Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T15:31:15.846Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T15:31:15.945Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T15:31:16.267Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T15:31:16.347Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}