feat: simplify AuthPolicy to pass full subscription-info object

Pass the complete subscription-info object instead of extracting individual
fields, simplifying the AuthPolicy and enabling consumers to access any field
without controller changes.

Changes:
- Add subscription_info field with full auth.metadata["subscription-info"] object
- Remove redundant top-level fields:
  - organizationId (now: subscription_info.organizationId)
  - costCenter (now: subscription_info.costCenter)
  - subscription_labels (now: subscription_info.labels)
- Update TelemetryPolicy to access nested fields
- Add test coverage verifying subscription_info returns full object

Benefits:
- Cleaner policy: single object vs multiple extracted fields
- Extensibility: new subscription fields automatically available
- Consistency: field name matches source (subscription-info → subscription_info)

Consumers should update expressions:
  Before: auth.identity.organizationId
  After:  auth.identity.subscription_info.organizationId

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: jrhyness

deployment/base/observability/gateway-telemetry-policy.yaml

@@ -12,8 +12,8 @@ spec:
         user: auth.identity.userid
         # Subscription metadata for usage attribution and billing
         subscription: auth.identity.selected_subscription
-        organization_id: auth.identity.organizationId
-        cost_center: auth.identity.costCenter
+        organization_id: auth.identity.subscription_info.organizationId
+        cost_center: auth.identity.subscription_info.costCenter
   targetRef:
     group: gateway.networking.k8s.io
     kind: Gateway

docs/content/configuration-and-management/maas-controller-overview.md

@@ -243,7 +243,7 @@ The controller-generated AuthPolicies do **not** inject identity-related HTTP he
 
 All identity information remains available to **gateway-level features** through Authorino's `auth.identity` and `auth.metadata` contexts, which are consumed by:
 
-- **TokenRateLimitPolicy (TRLP)**: Uses `selected_subscription_key`, `userid`, `groups`, and `subscription_labels` from `filters.identity`
+- **TokenRateLimitPolicy (TRLP)**: Uses `selected_subscription_key`, `userid`, `groups`, and `subscription_info` from `filters.identity` (access `subscription_info.labels` for tier-based rate limiting)
 - **Gateway telemetry/metrics**: Accesses identity fields with `metrics: true` enabled on `filters.identity`
 - **Authorization policies**: OPA/Rego rules evaluate `auth.identity` and `auth.metadata` directly
 

maas-controller/pkg/controller/maas/maasauthpolicy_controller.go

@@ -477,14 +477,11 @@ allow {
 										ref.Namespace, ref.Name,
 									),
 								},
-								"organizationId": map[string]interface{}{
-									"expression": `has(auth.metadata["subscription-info"].organizationId) ? auth.metadata["subscription-info"].organizationId : ""`,
-								},
-								"costCenter": map[string]interface{}{
-									"expression": `has(auth.metadata["subscription-info"].costCenter) ? auth.metadata["subscription-info"].costCenter : ""`,
-								},
-								"subscription_labels": map[string]interface{}{
-									"expression": `has(auth.metadata["subscription-info"].labels) ? auth.metadata["subscription-info"].labels : {}`,
+								// Full subscription-info object from subscription-select endpoint
+								// Contains: name, namespace, labels, organizationId, costCenter, error, message
+								// Consumers should access nested fields (e.g., subscription_info.organizationId)
+								"subscription_info": map[string]interface{}{
+									"expression": `has(auth.metadata["subscription-info"]) ? auth.metadata["subscription-info"] : {}`,
 								},
 								// Error information (for debugging - only populated when selection fails)
 								"subscription_error": map[string]interface{}{

maas-controller/pkg/controller/maas/maasauthpolicy_controller_test.go

@@ -1137,7 +1137,7 @@ func TestMaaSAuthPolicyReconciler_NoIdentityHeadersUpstream(t *testing.T) {
 			"groups",                      // User groups
 			"selected_subscription_key",   // Model-scoped subscription key for TRLP
 			"selected_subscription",       // Subscription name
-			"subscription_labels",         // Labels for rate limit tiers
+			"subscription_info",           // Full subscription object (includes labels, organizationId, costCenter, etc.)
 		}
 
 		for _, field := range requiredFields {
@@ -1148,16 +1148,55 @@ func TestMaaSAuthPolicyReconciler_NoIdentityHeadersUpstream(t *testing.T) {
 
 		// Verify telemetry/observability fields
 		observabilityFields := []string{
-			"keyId",          // API key tracking
-			"organizationId", // Cost attribution
-			"costCenter",     // Chargeback
+			"keyId", // API key tracking
 		}
 
 		for _, field := range observabilityFields {
 			if _, exists := identity[field]; !exists {
 				t.Errorf("filters.identity should include %q for observability, but it's missing", field)
 			}
 		}
+
+		// Verify subscription_info contains full object (not just individual fields)
+		// This object should contain: name, namespace, labels, organizationId, costCenter
+		// Consumers should access nested fields like:
+		//   - subscription_info.organizationId (for billing/cost attribution)
+		//   - subscription_info.costCenter (for chargeback)
+		//   - subscription_info.labels (for tier-based rate limiting)
+		subscriptionInfoField, exists := identity["subscription_info"]
+		if !exists {
+			t.Error("filters.identity must include 'subscription_info' field (full object from subscription-select)")
+		} else {
+			// Verify it's an expression that returns the full object
+			subscriptionInfoMap, ok := subscriptionInfoField.(map[string]interface{})
+			if !ok {
+				t.Errorf("subscription_info should be a map, got %T", subscriptionInfoField)
+			} else {
+				expr, hasExpr := subscriptionInfoMap["expression"]
+				if !hasExpr {
+					t.Error("subscription_info should have an 'expression' field")
+				} else {
+					exprStr, ok := expr.(string)
+					if !ok {
+						t.Errorf("subscription_info expression should be a string, got %T", expr)
+					} else {
+						// Verify it returns the full object, not just a sub-field
+						if !contains(exprStr, `auth.metadata["subscription-info"]`) {
+							t.Errorf("subscription_info expression should reference full subscription-info object, got: %s", exprStr)
+						}
+						// Verify it doesn't extract only labels (old behavior)
+						if contains(exprStr, ".labels") && !contains(exprStr, "?") {
+							t.Errorf("subscription_info expression should return full object, not just .labels, got: %s", exprStr)
+						}
+						// Note: We can't verify organizationId and costCenter exist at runtime here
+						// (they're optional fields that depend on MaaSSubscription configuration)
+						// but the full object is passed, so consumers can access them via:
+						// auth.identity.subscription_info.organizationId
+						// auth.identity.subscription_info.costCenter
+					}
+				}
+			}
+		}
 	})
 
 	// Test 3: Verify metrics are enabled on identity filter