Merge branch 'main' of github.com:redhat-et/maas-billing into clean_maas

Author: dmytro-zaharnytskyi

.github/hack/install-odh.sh

@@ -5,9 +5,12 @@
 # Prerequisites: cert-manager and LWS operators (run install-cert-manager-and-lws.sh first).
 #
 # Environment variables:
-#   OPERATOR_CATALOG - Custom catalog image (optional). When unset, uses community-operators (ODH 3.3).
+#   OPERATOR_CATALOG - Custom catalog image (optional). When unset, uses community-operators.
 #                      Set to e.g. quay.io/opendatahub/opendatahub-operator-catalog:latest for custom builds.
-#   OPERATOR_CHANNEL - Subscription channel (default: fast-3 for community, fast for custom catalog)
+#   OPERATOR_CHANNEL   - Subscription channel (default: fast-3)
+#   OPERATOR_STARTING_CSV - Pin Subscription startingCSV (default: opendatahub-operator.v3.4.0-ea.1). Set to "-" to omit.
+#   OPERATOR_INSTALL_PLAN_APPROVAL - Manual (default) or Automatic; use "-" to omit.
+#     Manual: blocks auto-upgrades; this script auto-approves only the first InstallPlan so install does not stall.
 #   OPERATOR_IMAGE   - Custom operator image to patch into CSV (optional)
 #
 # Usage: ./install-odh.sh
@@ -21,6 +24,8 @@ DATA_DIR="${REPO_ROOT}/scripts/data"
 NAMESPACE="${OPERATOR_NAMESPACE:-opendatahub}"
 OPERATOR_CATALOG="${OPERATOR_CATALOG:-}"
 OPERATOR_CHANNEL="${OPERATOR_CHANNEL:-}"
+OPERATOR_STARTING_CSV="${OPERATOR_STARTING_CSV:-}"
+OPERATOR_INSTALL_PLAN_APPROVAL="${OPERATOR_INSTALL_PLAN_APPROVAL:-}"
 OPERATOR_IMAGE="${OPERATOR_IMAGE:-}"
 
 # Source deployment helpers
@@ -59,28 +64,38 @@ patch_operator_csv_if_needed() {
 echo "=== Installing OpenDataHub operator ==="
 echo ""
 
-# 1. Catalog setup: use community-operators (ODH 3.3) by default, or custom catalog when OPERATOR_CATALOG is set
+# 1. Catalog setup: community-operators by default, or custom catalog when OPERATOR_CATALOG is set
 echo "1. Setting up ODH catalog..."
 if [[ -n "$OPERATOR_CATALOG" ]]; then
   echo "   Using custom catalog: $OPERATOR_CATALOG"
   create_custom_catalogsource "odh-custom-catalog" "openshift-marketplace" "$OPERATOR_CATALOG"
   catalog_source="odh-custom-catalog"
-  channel="${OPERATOR_CHANNEL:-fast}"
+  channel="${OPERATOR_CHANNEL:-fast-3}"
 else
-  echo "   Using community-operators (ODH 3.3)"
+  echo "   Using community-operators"
   catalog_source="community-operators"
   channel="${OPERATOR_CHANNEL:-fast-3}"
 fi
 
+# Pin to ODH 3.4 EA1 unless overridden (omit with OPERATOR_STARTING_CSV=- to follow channel head)
+starting_csv="${OPERATOR_STARTING_CSV:-opendatahub-operator.v3.4.0-ea.1}"
+[[ "$starting_csv" == "-" ]] && starting_csv=""
+
+# Manual = no auto-upgrades; install_olm_operator still approves the first InstallPlan programmatically
+plan_approval="${OPERATOR_INSTALL_PLAN_APPROVAL:-Manual}"
+[[ "$plan_approval" == "-" ]] && plan_approval=""
+
 # 2. Install ODH operator via OLM
 echo "2. Installing ODH operator..."
 install_olm_operator \
   "opendatahub-operator" \
   "$NAMESPACE" \
   "$catalog_source" \
   "$channel" \
-  "" \
-  "AllNamespaces"
+  "$starting_csv" \
+  "AllNamespaces" \
+  "openshift-marketplace" \
+  "$plan_approval"
 
 # 3. Patch CSV with custom image if specified
 if [[ -n "$OPERATOR_IMAGE" ]]; then

.gitleaks.toml

@@ -0,0 +1,67 @@
+# Gitleaks configuration for opendatahub-io repos
+# Synced from security-config. Do not edit in target repos.
+#
+# Path allowlists use Go regex syntax.
+# Real credentials should NEVER be committed to any repository.
+
+[extend]
+  useDefault = true
+
+[allowlist]
+  description = "Exclude test fixtures, mock data, sample configs, and CI resources"
+  paths = [
+    # Go test files (commonly contain mock credentials)
+    '''.*_test\.go$''',
+
+    # JS/TS test files (.spec.ts, .test.tsx, etc.)
+    '''.*\.spec\.(ts|tsx|js|jsx)$''',
+    '''.*\.test\.(ts|tsx|js|jsx)$''',
+
+    # JS/TS test directories
+    '''__tests__/''',
+
+    # Go testdata directories
+    '''testdata/''',
+
+    # Python test data directories
+    '''test_data/''',
+
+    # Test fixtures
+    '''fixtures/''',
+
+    # JavaScript/TypeScript mocks
+    '''__mocks__/''',
+
+    # Go/Java/TS mock directories
+    '''mocks/''',
+    '''k8mocks/''',
+
+    # Sample and example configs with placeholder credentials
+    '''docs/samples/''',
+    '''config/samples/''',
+    '''config/overlays/test/''',
+
+    # CI/GitHub Actions test resources
+    '''\.github/resources/''',
+
+    # E2E test credentials
+    '''test/e2e/credentials/''',
+    '''tests/e2e/credentials/''',
+
+    # OpenShift CI sample resources
+    '''openshift-ci/resources/samples/''',
+
+    # Cypress test data
+    '''cypress/fixtures/''',
+    '''cypress/tests/mocked/''',
+
+    # Test certificate and key files
+    '''tests/data/.*\.(pem|crt|key)$''',
+  ]
+
+  # Known test/placeholder credentials used in documentation and tests
+  regexes = [
+    '''database-password\s*:\s*"?(The)?BlurstOfTimes"?''',
+    '''database-user\s*:\s*"?mlmduser"?''',
+    '''database-user\s*:\s*"?modelregistryuser"?''',
+  ]

.gitleaksignore

@@ -0,0 +1,5 @@
+# Gitleaks ignore file
+# Add false positive fingerprints below (one per line)
+# Format: commit:file:rule-id:line or file:rule-id:line
+#
+# For path-based exclusions, use .gitleaks.toml allowlist instead.

.tekton/odh-maas-api-pull-request.yaml

@@ -29,6 +29,12 @@ spec:
     value: maas-api/Dockerfile
   - name: path-context
     value: maas-api
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
   - name: additional-tags
     value:
     - 'odh-pr-{{revision}}'

.tekton/odh-maas-api-push.yaml

@@ -28,6 +28,12 @@ spec:
     value: maas-api/Dockerfile
   - name: path-context
     value: maas-api
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
   pipelineRef:
     resolver: git
     params:

.tekton/odh-maas-controller-pull-request.yaml

@@ -34,6 +34,12 @@ spec:
     - 'odh-pr-{{revision}}'
   - name: pipeline-type
     value: pull-request
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
   pipelineRef:
     resolver: git
     params:

.tekton/odh-maas-controller-push.yaml

@@ -28,6 +28,12 @@ spec:
     value: Dockerfile
   - name: path-context
     value: maas-controller
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
   pipelineRef:
     resolver: git
     params:

OWNERS

@@ -4,6 +4,7 @@ approvers:
   - chaitanya1731
   - nerdalert
   - jland-redhat
+  - nirrozenbaum
   - dmytro-zaharnytskyi
   - SB159
   - noyitz
@@ -21,6 +22,7 @@ reviewers:
   - chaitanya1731
   - nerdalert
   - jland-redhat
+  - nirrozenbaum
   - dmytro-zaharnytskyi
   - SB159
   - noyitz

deployment/base/maas-controller/crd/bases/maas.opendatahub.io_maasmodelrefs.yaml

@@ -55,6 +55,25 @@ spec:
           spec:
             description: MaaSModelSpec defines the desired state of MaaSModelRef
             properties:
+              credentialRef:
+                description: |-
+                  CredentialRef references a Kubernetes Secret containing the provider API key.
+                  The Secret must contain a data key "api-key" with the credential value.
+                  Only used when modelRef.kind=ExternalModel.
+                properties:
+                  name:
+                    description: Name is the name of the Secret
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the Secret. Defaults
+                      to the MaaSModelRef namespace if omitted.
+                    maxLength: 253
+                    type: string
+                required:
+                - name
+                type: object
               endpointOverride:
                 description: |-
                   EndpointOverride, when set, overrides the endpoint URL that the controller
@@ -64,6 +83,16 @@ spec:
               modelRef:
                 description: ModelRef references the actual model endpoint
                 properties:
+                  endpoint:
+                    description: |-
+                      Endpoint is the FQDN of the external provider (no scheme or path).
+                      e.g. "api.openai.com". Only used when kind=ExternalModel.
+                      This field is metadata for downstream consumers (e.g. BBR provider-resolver plugin)
+                      and is not used by the controller for endpoint derivation. Use spec.endpointOverride
+                      to override the controller-derived endpoint.
+                    maxLength: 253
+                    pattern: ^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$
+                    type: string
                   kind:
                     description: Kind determines which fields are available
                     enum:
@@ -73,10 +102,20 @@ spec:
                   name:
                     description: Name is the name of the model resource
                     type: string
+                  provider:
+                    description: |-
+                      Provider identifies the API format and auth type for external models.
+                      e.g. "openai", "anthropic". Only used when kind=ExternalModel.
+                    maxLength: 63
+                    type: string
                 required:
                 - kind
                 - name
                 type: object
+                x-kubernetes-validations:
+                - message: provider is required when kind is ExternalModel
+                  rule: self.kind != 'ExternalModel' || has(self.provider) && self.provider
+                    != ''
             required:
             - modelRef
             type: object

maas-api/internal/handlers/models.go

@@ -78,7 +78,8 @@ func (h *ModelsHandler) selectSubscriptionsForListing(
 
 	// Single subscription selection (existing behavior)
 	if h.subscriptionSelector != nil {
-		result, err := h.subscriptionSelector.Select(userContext.Groups, userContext.Username, requestedSubscription)
+		//nolint:unqueryvet,nolintlint // Select is a method, not a SQL query
+		result, err := h.subscriptionSelector.Select(userContext.Groups, userContext.Username, requestedSubscription, "")
 		if err != nil {
 			h.handleSubscriptionSelectionError(c, err)
 			return nil, true
@@ -99,6 +100,7 @@ func (h *ModelsHandler) selectSubscriptionsForListing(
 // handleSubscriptionSelectionError handles errors from subscription selection and sends appropriate HTTP responses.
 func (h *ModelsHandler) handleSubscriptionSelectionError(c *gin.Context, err error) {
 	var multipleSubsErr *subscription.MultipleSubscriptionsError
+	var ambiguousErr *subscription.SubscriptionAmbiguousError
 	var accessDeniedErr *subscription.AccessDeniedError
 	var notFoundErr *subscription.SubscriptionNotFoundError
 	var noSubErr *subscription.NoSubscriptionError
@@ -117,6 +119,16 @@ func (h *ModelsHandler) handleSubscriptionSelectionError(c *gin.Context, err err
 		return
 	}
 
+	if errors.As(err, &ambiguousErr) {
+		h.logger.Debug("Subscription name is ambiguous")
+		c.JSON(http.StatusForbidden, gin.H{
+			"error": gin.H{
+				"message": err.Error(),
+				"type":    "permission_error",
+			}})
+		return
+	}
+
 	if errors.As(err, &accessDeniedErr) {
 		h.logger.Debug("Access denied to subscription")
 		c.JSON(http.StatusForbidden, gin.H{
@@ -255,7 +267,7 @@ func (h *ModelsHandler) ListLLMs(c *gin.Context) {
 			} else {
 				// User has zero accessible subscriptions - return empty list
 				h.logger.Debug("User has zero accessible subscriptions, returning empty model list")
-				// modelList is already initialized to empty slice at line 235
+				// modelList is already initialized to empty slice above
 			}
 		} else {
 			// Filter models by subscription(s) and aggregate subscriptions
@@ -268,8 +280,22 @@ func (h *ModelsHandler) ListLLMs(c *gin.Context) {
 			modelsByKey := make(map[modelKey]*models.Model)
 
 			for _, sub := range subscriptionsToUse {
-				h.logger.Debug("Filtering models by subscription", "subscription", sub.Name, "modelCount", len(list))
-				filteredModels := h.modelMgr.FilterModelsByAccess(c.Request.Context(), list, authHeader, sub.Name)
+				// Pre-filter by modelRefs if available (optimization to reduce HTTP calls)
+				modelsToCheck := list
+				if len(sub.ModelRefs) > 0 {
+					h.logger.Debug("Pre-filtering models by subscription modelRefs",
+						"subscription", sub.Name,
+						"totalModels", len(list),
+						"modelRefsCount", len(sub.ModelRefs),
+					)
+					modelsToCheck = filterModelsBySubscription(list, sub.ModelRefs)
+					h.logger.Debug("After modelRef filtering", "modelsToCheck", len(modelsToCheck))
+				}
+
+				// Use qualified "namespace/name" format for accurate authorization checks
+				qualifiedSubName := sub.Namespace + "/" + sub.Name
+				h.logger.Debug("Filtering models by subscription", "subscription", qualifiedSubName, "modelCount", len(modelsToCheck))
+				filteredModels := h.modelMgr.FilterModelsByAccess(c.Request.Context(), modelsToCheck, authHeader, qualifiedSubName)
 
 				for _, model := range filteredModels {
 					subInfo := models.SubscriptionInfo{
@@ -323,3 +349,29 @@ func (h *ModelsHandler) ListLLMs(c *gin.Context) {
 		Data:   modelList,
 	})
 }
+
+// filterModelsBySubscription filters models to only those matching the subscription's modelRefs.
+func filterModelsBySubscription(modelList []models.Model, modelRefs []subscription.ModelRefInfo) []models.Model {
+	if len(modelRefs) == 0 {
+		return modelList
+	}
+
+	// Build map of allowed models for fast lookup
+	allowed := make(map[string]bool)
+	for _, ref := range modelRefs {
+		key := ref.Namespace + "/" + ref.Name
+		allowed[key] = true
+	}
+
+	// Filter models
+	filtered := make([]models.Model, 0, len(modelList))
+	for _, model := range modelList {
+		// Models from MaaSModelRefLister have OwnedBy set to namespace
+		modelKey := model.OwnedBy + "/" + model.ID
+		if allowed[modelKey] {
+			filtered = append(filtered, model)
+		}
+	}
+
+	return filtered
+}