Add managed-by label for Authorino to API key secrets (#23)

nerdalert · web-flow · commit b4f943b9975c · 2025-08-26T01:03:39.000-04:00
API key Secrets created by the key-manager include the
label `authorino.kuadrant.io/managed-by=authorino`. This makes new
secrets immediately discoverable by Authorino without requiring
a hot-reload.

Signed-off-by: Brent Salisbury &lt;bsalisbu@redhat.com&gt;
diff --git a/deployment/kuadrant-openshift/key-manager/04-token-rate-limit-policy.yaml b/deployment/kuadrant-openshift/key-manager/04-token-rate-limit-policy.yaml
@@ -8,7 +8,6 @@ metadata:
   name: gateway-default-unlimited
   namespace: llm
   labels:
-    maas/managed-by: "key-manager"
     maas/resource-type: "default-rate-limit"
   annotations:
     maas/description: "Default unlimited rate policy - teams can override with specific limits"
diff --git a/deployment/kuadrant-openshift/key-manager/internal/auth/middleware.go b/deployment/kuadrant-openshift/key-manager/internal/auth/middleware.go
@@ -56,4 +56,4 @@ func getEnvOrDefault(key, defaultValue string) string {
 		return value
 	}
 	return defaultValue
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/config/config.go b/deployment/kuadrant-openshift/key-manager/internal/config/config.go
@@ -50,4 +50,4 @@ func getEnvOrDefault(key, defaultValue string) string {
 		return value
 	}
 	return defaultValue
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/handlers/health.go b/deployment/kuadrant-openshift/key-manager/internal/handlers/health.go
@@ -17,4 +17,4 @@ func NewHealthHandler() *HealthHandler {
 // HealthCheck handles GET /health
 func (h *HealthHandler) HealthCheck(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"status": "healthy"})
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/handlers/keys.go b/deployment/kuadrant-openshift/key-manager/internal/handlers/keys.go
@@ -131,4 +131,4 @@ func (h *KeysHandler) ListUserKeys(c *gin.Context) {
 		"keys":       keys,
 		"total_keys": len(keys),
 	})
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/handlers/legacy.go b/deployment/kuadrant-openshift/key-manager/internal/handlers/legacy.go
@@ -79,4 +79,4 @@ func (h *LegacyHandler) DeleteKey(c *gin.Context) {
 		"message":     "API key deleted successfully",
 		"secret_name": secretName,
 	})
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/handlers/models.go b/deployment/kuadrant-openshift/key-manager/internal/handlers/models.go
@@ -35,4 +35,4 @@ func (h *ModelsHandler) ListModels(c *gin.Context) {
 	}
 
 	c.JSON(http.StatusOK, response)
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/handlers/teams.go b/deployment/kuadrant-openshift/key-manager/internal/handlers/teams.go
@@ -143,4 +143,4 @@ func (h *TeamsHandler) DeleteTeam(c *gin.Context) {
 
 	log.Printf("Team deleted successfully: %s", teamID)
 	c.JSON(http.StatusOK, gin.H{"message": "Team deleted successfully", "team_id": teamID})
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/handlers/usage.go b/deployment/kuadrant-openshift/key-manager/internal/handlers/usage.go
@@ -26,7 +26,7 @@ type UsageHandler struct {
 // NewUsageHandler creates a new usage handler
 func NewUsageHandler(clientset *kubernetes.Clientset, config *rest.Config, keyNamespace string) *UsageHandler {
 	collector := usage.NewCollector(clientset, config, keyNamespace)
-	
+
 	return &UsageHandler{
 		clientset:    clientset,
 		config:       config,
@@ -108,11 +108,11 @@ func (h *UsageHandler) enrichUserUsage(userUsage *types.UserUsage) error {
 	}
 
 	// Create policy -> team mapping
-	policyToTeam := make(map[string]struct{
+	policyToTeam := make(map[string]struct {
 		teamID   string
 		teamName string
 	})
-	
+
 	for _, secret := range secrets.Items {
 		policy := secret.Annotations["maas/policy"]
 		if policy != "" {
@@ -141,9 +141,9 @@ func (h *UsageHandler) enrichUserUsage(userUsage *types.UserUsage) error {
 func (h *UsageHandler) enrichTeamUsage(teamUsage *types.TeamUsage) error {
 	for i, userUsage := range teamUsage.UserBreakdown {
 		// Find user's API key secret to get email
-		labelSelector := fmt.Sprintf("kuadrant.io/apikeys-by=rhcl-keys,maas/team-id=%s,maas/user-id=%s", 
+		labelSelector := fmt.Sprintf("kuadrant.io/apikeys-by=rhcl-keys,maas/team-id=%s,maas/user-id=%s",
 			teamUsage.TeamID, userUsage.UserID)
-		
+
 		secrets, err := h.clientset.CoreV1().Secrets(h.keyNamespace).List(
 			context.Background(), metav1.ListOptions{LabelSelector: labelSelector})
 		if err != nil {
@@ -160,4 +160,4 @@ func (h *UsageHandler) enrichTeamUsage(teamUsage *types.TeamUsage) error {
 	}
 
 	return nil
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/keys/generator.go b/deployment/kuadrant-openshift/key-manager/internal/keys/generator.go
@@ -34,4 +34,4 @@ func isValidUserID(userID string) bool {
 // ValidateUserID validates a user ID using Kubernetes naming rules
 func ValidateUserID(userID string) bool {
 	return isValidUserID(userID)
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/keys/manager.go b/deployment/kuadrant-openshift/key-manager/internal/keys/manager.go
@@ -12,7 +12,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/redhat-et/maas-billing/deployment/kuadrant-openshift/key-manager-v2/internal/teams"
@@ -102,17 +101,6 @@ func (m *Manager) CreateTeamKey(teamID string, req *CreateTeamKeyRequest) (*Crea
 		return nil, fmt.Errorf("failed to create key secret: %w", err)
 	}
 
-	log.Printf("API key created for team %s, team policies will apply automatically", teamID)
-
-	// Restart Authorino to reload API key configuration immediately
-	// This is critical for the new API key to be discovered by Kuadrant
-	err = m.restartAuthorino()
-	if err != nil {
-		log.Printf("Warning: Failed to restart Authorino after key creation: %v", err)
-	} else {
-		log.Printf("Restarted Authorino to reload API key configuration")
-	}
-
 	// Get inherited policies
 	inheritedPolicies := m.buildInheritedPolicies(teamMember)
 
@@ -333,14 +321,15 @@ func (m *Manager) createKeySecret(teamID string, req *CreateTeamKeyRequest, apiK
 			Name:      secretName,
 			Namespace: m.keyNamespace,
 			Labels: map[string]string{
-				"kuadrant.io/auth-secret": "true",        // Required for working AuthPolicy
-				"kuadrant.io/apikeys-by":  "rhcl-keys",   // Required for key listing functions
-				"app":                     "llm-gateway", // Required for working AuthPolicy
-				"maas/user-id":            req.UserID,
-				"maas/team-id":            teamID,
-				"maas/team-role":          teamMember.Role,
-				"maas/key-sha256":         keyHash[:32],
-				"maas/resource-type":      "team-key",
+				"kuadrant.io/auth-secret":              "true",        // Required for working AuthPolicy
+				"kuadrant.io/apikeys-by":               "rhcl-keys",   // Required for key listing functions
+				"app":                                  "llm-gateway", // Required for working AuthPolicy
+				"authorino.kuadrant.io/managed-by":     "authorino",   // Ensure Authorino always sees it
+				"maas/user-id":                         req.UserID,
+				"maas/team-id":                         teamID,
+				"maas/team-role":                       teamMember.Role,
+				"maas/key-sha256":                      keyHash[:32],
+				"maas/resource-type":                   "team-key",
 				// Policy targeting label - this is how Kuadrant policies find API keys
 				fmt.Sprintf("maas/policy-%s", teamMember.Policy): "true",
 			},
@@ -385,19 +374,3 @@ func (m *Manager) buildInheritedPolicies(teamMember *teams.TeamMember) map[strin
 		"role":      teamMember.Role,
 	}
 }
-
-// restartAuthorino restarts the Authorino deployment to reload API key configuration
-func (m *Manager) restartAuthorino() error {
-	// Create patch to trigger rolling restart
-	restartPatch := []byte(fmt.Sprintf(`{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"%s"}}}}}`, time.Now().Format(time.RFC3339)))
-
-	// Apply patch to Authorino deployment
-	_, err := m.clientset.AppsV1().Deployments("kuadrant-system").Patch(
-		context.Background(),
-		"authorino",
-		types.StrategicMergePatchType,
-		restartPatch,
-		metav1.PatchOptions{})
-
-	return err
-}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/keys/types.go b/deployment/kuadrant-openshift/key-manager/internal/keys/types.go
@@ -2,11 +2,11 @@ package keys
 
 // API key structures
 type CreateTeamKeyRequest struct {
-	UserID            string                 `json:"user_id" binding:"required"`
-	UserEmail         string                 `json:"user_email"`
-	Alias             string                 `json:"alias"`
-	Models            []string               `json:"models"`
-	InheritTeamLimits bool                   `json:"inherit_team_limits"`
+	UserID            string   `json:"user_id" binding:"required"`
+	UserEmail         string   `json:"user_email"`
+	Alias             string   `json:"alias"`
+	Models            []string `json:"models"`
+	InheritTeamLimits bool     `json:"inherit_team_limits"`
 	// Rate limit overrides
 	TokenLimit   int                    `json:"token_limit,omitempty"`
 	RequestLimit int                    `json:"request_limit,omitempty"`
diff --git a/deployment/kuadrant-openshift/key-manager/internal/models/kserve.go b/deployment/kuadrant-openshift/key-manager/internal/models/kserve.go
@@ -77,4 +77,4 @@ func (m *Manager) ListAvailableModels() ([]ModelInfo, error) {
 	}
 
 	return modelList, nil
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/models/types.go b/deployment/kuadrant-openshift/key-manager/internal/models/types.go
@@ -10,4 +10,4 @@ type ModelInfo struct {
 
 type ModelsResponse struct {
 	Models []ModelInfo `json:"models"`
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/teams/manager.go b/deployment/kuadrant-openshift/key-manager/internal/teams/manager.go
@@ -115,7 +115,7 @@ func (m *Manager) List() ([]map[string]interface{}, error) {
 	teams := make([]map[string]interface{}, 0)
 	for _, secret := range secrets.Items {
 		teamID := secret.Labels["maas/team-id"]
-		
+
 		// Get team key count
 		keyCount := 0
 		userCount := 0
@@ -127,13 +127,13 @@ func (m *Manager) List() ([]map[string]interface{}, error) {
 		}
 
 		team := map[string]interface{}{
-			"team_id":    secret.Labels["maas/team-id"],
-			"team_name":  secret.Annotations["maas/team-name"],
+			"team_id":     secret.Labels["maas/team-id"],
+			"team_name":   secret.Annotations["maas/team-name"],
 			"description": secret.Annotations["maas/description"],
-			"policy":     secret.Annotations["maas/policy"],
-			"created_at": secret.Annotations["maas/created-at"],
-			"key_count":  keyCount,
-			"user_count": userCount,
+			"policy":      secret.Annotations["maas/policy"],
+			"created_at":  secret.Annotations["maas/created-at"],
+			"key_count":   keyCount,
+			"user_count":  userCount,
 		}
 		teams = append(teams, team)
 	}
@@ -228,7 +228,7 @@ func (m *Manager) Update(teamID string, req *UpdateTeamRequest) error {
 			// Use existing values as defaults, override only what's specified
 			tokenLimit := currentTokenLimit
 			timeWindow := currentTimeWindow
-			
+
 			if req.TokenLimit != nil {
 				tokenLimit = *req.TokenLimit
 			}
@@ -477,4 +477,4 @@ func (m *Manager) updateTeamKeysPolicy(teamID, newPolicy string) error {
 
 	log.Printf("Updated %d API keys for team %s to policy %s", len(secrets.Items), teamID, newPolicy)
 	return nil
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/teams/policy.go b/deployment/kuadrant-openshift/key-manager/internal/teams/policy.go
@@ -79,21 +79,21 @@ func (p *PolicyManager) GetPolicyLimits(policyName string) (int, string, error)
 	if spec, ok := policyObj.Object["spec"].(map[string]interface{}); ok {
 		if limits, ok := spec["limits"].(map[string]interface{}); ok {
 			limitName := fmt.Sprintf("%s", policyName)
-			
+
 			if limitConfig, exists := limits[limitName]; exists {
 				if limitMap, ok := limitConfig.(map[string]interface{}); ok {
 					if rates, ok := limitMap["rates"].([]interface{}); ok && len(rates) > 0 {
 						if rate, ok := rates[0].(map[string]interface{}); ok {
 							tokenLimit := 100000 // default
 							timeWindow := "1h"   // default
-							
+
 							if limit, ok := rate["limit"].(float64); ok {
 								tokenLimit = int(limit)
 							}
 							if window, ok := rate["window"].(string); ok {
 								timeWindow = window
 							}
-							
+
 							return tokenLimit, timeWindow, nil
 						}
 					}
@@ -420,4 +420,4 @@ func (p *PolicyManager) isPolicyEnforced(policyObj map[string]interface{}) bool
 	}
 
 	return false
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/teams/types.go b/deployment/kuadrant-openshift/key-manager/internal/teams/types.go
@@ -71,4 +71,4 @@ func isValidTeamID(teamID string) bool {
 	// Must start and end with an alphanumeric character
 	validPattern := regexp.MustCompile(`^[a-z0-9]([a-z0-9-]*[a-z0-9])?$`)
 	return validPattern.MatchString(teamID)
-}
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/types/usage.go b/deployment/kuadrant-openshift/key-manager/internal/types/usage.go
@@ -4,50 +4,50 @@ import "time"
 
 // UserUsage represents aggregated usage for a specific user
 type UserUsage struct {
-	UserID              string                 `json:"user_id"`
-	TotalTokenUsage     int64                  `json:"total_token_usage"`
-	TotalAuthorizedCalls int64                 `json:"total_authorized_calls"`
-	TotalLimitedCalls   int64                  `json:"total_limited_calls"`
-	TeamBreakdown       []TeamUserUsage        `json:"team_breakdown"`
-	LastUpdated         time.Time              `json:"last_updated"`
+	UserID               string          `json:"user_id"`
+	TotalTokenUsage      int64           `json:"total_token_usage"`
+	TotalAuthorizedCalls int64           `json:"total_authorized_calls"`
+	TotalLimitedCalls    int64           `json:"total_limited_calls"`
+	TeamBreakdown        []TeamUserUsage `json:"team_breakdown"`
+	LastUpdated          time.Time       `json:"last_updated"`
 }
 
 // TeamUsage represents aggregated usage for a specific team (group)
 type TeamUsage struct {
-	TeamID              string                 `json:"team_id"`
-	TeamName            string                 `json:"team_name"`
-	Policy              string                 `json:"policy"`
-	TotalTokenUsage     int64                  `json:"total_token_usage"`
-	TotalAuthorizedCalls int64                 `json:"total_authorized_calls"`
-	TotalLimitedCalls   int64                  `json:"total_limited_calls"`
-	UserBreakdown       []UserTeamUsage        `json:"user_breakdown"`
-	LastUpdated         time.Time              `json:"last_updated"`
+	TeamID               string          `json:"team_id"`
+	TeamName             string          `json:"team_name"`
+	Policy               string          `json:"policy"`
+	TotalTokenUsage      int64           `json:"total_token_usage"`
+	TotalAuthorizedCalls int64           `json:"total_authorized_calls"`
+	TotalLimitedCalls    int64           `json:"total_limited_calls"`
+	UserBreakdown        []UserTeamUsage `json:"user_breakdown"`
+	LastUpdated          time.Time       `json:"last_updated"`
 }
 
 // TeamUserUsage represents a user's usage within a specific team context
 type TeamUserUsage struct {
-	TeamID              string `json:"team_id"`
-	TeamName            string `json:"team_name"`
-	Policy              string `json:"policy"`
-	TokenUsage          int64  `json:"token_usage"`
-	AuthorizedCalls     int64  `json:"authorized_calls"`
-	LimitedCalls        int64  `json:"limited_calls"`
+	TeamID          string `json:"team_id"`
+	TeamName        string `json:"team_name"`
+	Policy          string `json:"policy"`
+	TokenUsage      int64  `json:"token_usage"`
+	AuthorizedCalls int64  `json:"authorized_calls"`
+	LimitedCalls    int64  `json:"limited_calls"`
 }
 
 // UserTeamUsage represents team usage broken down by user
 type UserTeamUsage struct {
-	UserID              string `json:"user_id"`
-	UserEmail           string `json:"user_email"`
-	TokenUsage          int64  `json:"token_usage"`
-	AuthorizedCalls     int64  `json:"authorized_calls"`
-	LimitedCalls        int64  `json:"limited_calls"`
+	UserID          string `json:"user_id"`
+	UserEmail       string `json:"user_email"`
+	TokenUsage      int64  `json:"token_usage"`
+	AuthorizedCalls int64  `json:"authorized_calls"`
+	LimitedCalls    int64  `json:"limited_calls"`
 }
 
 // PrometheusMetric represents a parsed Prometheus metric
 type PrometheusMetric struct {
-	Name      string            `json:"name"`
-	Labels    map[string]string `json:"labels"`
-	Value     int64             `json:"value"`
-	Help      string            `json:"help"`
-	Type      string            `json:"type"`
-}
+	Name   string            `json:"name"`
+	Labels map[string]string `json:"labels"`
+	Value  int64             `json:"value"`
+	Help   string            `json:"help"`
+	Type   string            `json:"type"`
+}
diff --git a/deployment/kuadrant-openshift/key-manager/internal/usage/collector.go b/deployment/kuadrant-openshift/key-manager/internal/usage/collector.go

Original file line number	Diff line number	Diff line change
`@@ -56,4 +56,4 @@ func getEnvOrDefault(key, defaultValue string) string {`
`56`	`56`	`return value`
`57`	`57`	`}`
`58`	`58`	`return defaultValue`
`59`		`-}`
	`59`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -50,4 +50,4 @@ func getEnvOrDefault(key, defaultValue string) string {`
`50`	`50`	`return value`
`51`	`51`	`}`
`52`	`52`	`return defaultValue`
`53`		`-}`
	`53`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -35,4 +35,4 @@ func (h ModelsHandler) ListModels(c gin.Context) {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`c.JSON(http.StatusOK, response)`
`38`		`-}`
	`38`	`+}`