Merge branch 'main' of github.com:opendatahub-io/models-as-a-service into feature/external-oidc

Author: dmytro-zaharnytskyi

deployment/base/maas-controller/rbac/clusterrole.yaml

@@ -18,6 +18,9 @@ rules:
 - apiGroups: ["gateway.networking.k8s.io"]
   resources: ["httproutes"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["gateway.networking.k8s.io"]
+  resources: ["httproutes/finalizers"]
+  verbs: ["update"]
 - apiGroups: ["kuadrant.io"]
   resources: ["authpolicies", "tokenratelimitpolicies"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

maas-controller/pkg/controller/maas/maassubscription_controller.go

@@ -58,6 +58,7 @@ type MaaSSubscriptionReconciler struct {
 //+kubebuilder:rbac:groups=maas.opendatahub.io,resources=maasmodelrefs,verbs=get;list;watch
 //+kubebuilder:rbac:groups=kuadrant.io,resources=tokenratelimitpolicies,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch
+//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes/finalizers,verbs=update
 
 const (
 	maasSubscriptionFinalizer = "maas.opendatahub.io/subscription-cleanup"

test/e2e/scripts/auth_utils.sh

@@ -209,13 +209,15 @@ run_auth_debug_report() {
   _run "maas-controller MAAS_API_NAMESPACE" "echo '$env_display'"
   _append ""
 
-  _section "Kuadrant AuthPolicies"
+  _section "Kuadrant Policies"
   _run "AuthPolicies (all namespaces)" "kubectl get authpolicies -A -o wide 2>/dev/null || true"
+  _run "TokenRateLimitPolicies (all namespaces)" "kubectl get tokenratelimitpolicies -A -o wide 2>/dev/null || true"
   _append ""
 
   _section "MaaS CRs"
   _run "MaaSAuthPolicies" "kubectl get maasauthpolicies -n $MAAS_SUBSCRIPTION_NAMESPACE -o wide 2>/dev/null || true"
   _run "MaaSSubscriptions" "kubectl get maassubscriptions -n $MAAS_SUBSCRIPTION_NAMESPACE -o wide 2>/dev/null || true"
+  _run "MaaSSubscription status details" "kubectl get maassubscriptions -n $MAAS_SUBSCRIPTION_NAMESPACE -o jsonpath='{range .items[*]}{.metadata.name}: {.status.phase} - {.status.conditions[?(@.type==\"Ready\")].message}{\"\\n\"}{end}' 2>/dev/null || true"
   _run "MaaSModelRefs (all namespaces)" "kubectl get maasmodelrefs -A -o wide 2>/dev/null || true"
   _append ""
 

test/e2e/scripts/prow_run_smoke_test.sh

@@ -662,6 +662,34 @@ setup_test_tokens() {
         fi
     fi
 
+    # Grant odh-admins RBAC so SAR-based admin check passes.
+    # maas-api IsAdmin does a SubjectAccessReview: "can user create maasauthpolicies?"
+    # The ODH operator will provide this via opendatahub-operator#3301; until then, create it here.
+    oc apply -f - <<RBAC_EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: maas-admin
+rules:
+- apiGroups: ["maas.opendatahub.io"]
+  resources: ["maasauthpolicies", "maassubscriptions"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: odh-admins-maas-admin
+  namespace: $MAAS_SUBSCRIPTION_NAMESPACE
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: maas-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: odh-admins
+RBAC_EOF
+
     # 3. Fallback for regular user: always use a separate SA to ensure distinct users
     # This is required for IDOR tests that verify users cannot access each other's keys
     # Regular user stays in default namespace (system:serviceaccounts:default) - NOT in adminGroups

test/e2e/smoke.sh

@@ -126,6 +126,35 @@ setup_admin_token() {
     return 0
   fi
 
+  # Grant odh-admins RBAC so SAR-based admin check passes.
+  # maas-api IsAdmin does a SubjectAccessReview: "can user create maasauthpolicies?"
+  # The ODH operator will provide this via opendatahub-operator#3301; until then, create it here.
+  local maas_sub_ns="${MAAS_SUBSCRIPTION_NAMESPACE:-models-as-a-service}"
+  oc apply -f - <<RBAC_EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: maas-admin
+rules:
+- apiGroups: ["maas.opendatahub.io"]
+  resources: ["maasauthpolicies", "maassubscriptions"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: odh-admins-maas-admin
+  namespace: $maas_sub_ns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: maas-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: odh-admins
+RBAC_EOF
+
   # Use current user's token
   ADMIN_OC_TOKEN="$(oc whoami -t 2>/dev/null || true)"
   if [[ -n "${ADMIN_OC_TOKEN}" ]]; then

test/e2e/tests/test_models_endpoint.py

@@ -36,6 +36,8 @@
     _ns,
     _sa_to_user,
     _snapshot_cr,
+    _wait_for_maas_auth_policy_ready,
+    _wait_for_maas_subscription_ready,
     _wait_reconcile,
     DISTINCT_MODEL_ID,
     DISTINCT_MODEL_REF,
@@ -1099,7 +1101,10 @@ def test_user_token_returns_all_models(self):
             _create_test_auth_policy(auth2_name, DISTINCT_MODEL_2_REF, users=[sa_user])
             _create_test_subscription(sub2_name, DISTINCT_MODEL_2_REF, users=[sa_user])
 
-            _wait_reconcile()
+            _wait_for_maas_auth_policy_ready(auth1_name)
+            _wait_for_maas_auth_policy_ready(auth2_name)
+            _wait_for_maas_subscription_ready(sub1_name)
+            _wait_for_maas_subscription_ready(sub2_name)
 
             # Query with user token (no X-MaaS-Subscription header)
             log.info("Querying /v1/models with user token (no header)")
@@ -1954,7 +1959,10 @@ def test_service_account_token_multiple_subs_no_header(self):
             _create_test_auth_policy(auth2_name, DISTINCT_MODEL_2_REF, users=[sa_user])
             _create_test_subscription(sub2_name, DISTINCT_MODEL_2_REF, users=[sa_user])
 
-            _wait_reconcile()
+            _wait_for_maas_auth_policy_ready(auth1_name)
+            _wait_for_maas_auth_policy_ready(auth2_name)
+            _wait_for_maas_subscription_ready(sub1_name)
+            _wait_for_maas_subscription_ready(sub2_name)
 
             # Query with K8s token (no header)
             log.info("Querying /v1/models with K8s token (no header) - should return models from both subscriptions")
@@ -2018,7 +2026,10 @@ def test_service_account_token_multiple_subs_with_header(self):
             _create_test_auth_policy(auth2_name, DISTINCT_MODEL_2_REF, users=[sa_user])
             _create_test_subscription(sub2_name, DISTINCT_MODEL_2_REF, users=[sa_user])
 
-            _wait_reconcile()
+            _wait_for_maas_auth_policy_ready(auth1_name)
+            _wait_for_maas_auth_policy_ready(auth2_name)
+            _wait_for_maas_subscription_ready(sub1_name)
+            _wait_for_maas_subscription_ready(sub2_name)
 
             # Query with K8s token and header specifying sub1
             log.info(f"Querying /v1/models with K8s token and header: {sub1_name}")

test/e2e/tests/test_subscription.py

@@ -1048,6 +1048,10 @@ def test_rate_limit_exhaustion_gets_429(self):
             )
             _wait_reconcile()
 
+            # Wait for TRLP to be created AND enforced by Kuadrant/Limitador.
+            # Without this, requests bypass token rate limiting entirely.
+            _wait_for_token_rate_limit_policy(model_ref, model_namespace=MODEL_NAMESPACE, timeout=90)
+
             # 3. API key must be minted for this subscription
             oc_token = _get_cluster_token()
             api_key = _create_api_key(