Merge branch 'main' of github.com:redhat-et/maas-billing into clean_maas

Author: dmytro-zaharnytskyi

deployment/base/maas-controller/crd/bases/maas.opendatahub.io_externalmodels.yaml

@@ -0,0 +1,164 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: externalmodels.maas.opendatahub.io
+spec:
+  group: maas.opendatahub.io
+  names:
+    kind: ExternalModel
+    listKind: ExternalModelList
+    plural: externalmodels
+    singular: externalmodel
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.provider
+      name: Provider
+      type: string
+    - jsonPath: .spec.endpoint
+      name: Endpoint
+      type: string
+    - jsonPath: .status.phase
+      name: Phase
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ExternalModel is the Schema for the externalmodels API.
+          It defines an external LLM provider (e.g., OpenAI, Anthropic) that can be
+          referenced by MaaSModelRef resources.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ExternalModelSpec defines the desired state of ExternalModel
+            properties:
+              credentialRef:
+                description: |-
+                  CredentialRef references a Kubernetes Secret containing the provider API key.
+                  The Secret must contain a data key "api-key" with the credential value.
+                properties:
+                  name:
+                    description: Name is the name of the Secret
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                required:
+                - name
+                type: object
+              endpoint:
+                description: |-
+                  Endpoint is the FQDN of the external provider (no scheme or path).
+                  e.g. "api.openai.com".
+                  This field is metadata for downstream consumers (e.g. BBR provider-resolver plugin)
+                  and is not used by the controller for endpoint derivation.
+                maxLength: 253
+                pattern: ^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$
+                type: string
+              provider:
+                description: |-
+                  Provider identifies the API format and auth type for the external model.
+                  e.g. "openai", "anthropic".
+                maxLength: 63
+                type: string
+            required:
+            - credentialRef
+            - endpoint
+            - provider
+            type: object
+          status:
+            description: ExternalModelStatus defines the observed state of ExternalModel
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of the external model's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              phase:
+                description: Phase represents the current phase of the external model
+                enum:
+                - Pending
+                - Ready
+                - Failed
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

deployment/base/maas-controller/crd/bases/maas.opendatahub.io_maasmodelrefs.yaml

@@ -55,25 +55,6 @@ spec:
           spec:
             description: MaaSModelSpec defines the desired state of MaaSModelRef
             properties:
-              credentialRef:
-                description: |-
-                  CredentialRef references a Kubernetes Secret containing the provider API key.
-                  The Secret must contain a data key "api-key" with the credential value.
-                  Only used when modelRef.kind=ExternalModel.
-                properties:
-                  name:
-                    description: Name is the name of the Secret
-                    maxLength: 253
-                    minLength: 1
-                    type: string
-                  namespace:
-                    description: Namespace is the namespace of the Secret. Defaults
-                      to the MaaSModelRef namespace if omitted.
-                    maxLength: 253
-                    type: string
-                required:
-                - name
-                type: object
               endpointOverride:
                 description: |-
                   EndpointOverride, when set, overrides the endpoint URL that the controller
@@ -83,39 +64,27 @@ spec:
               modelRef:
                 description: ModelRef references the actual model endpoint
                 properties:
-                  endpoint:
-                    description: |-
-                      Endpoint is the FQDN of the external provider (no scheme or path).
-                      e.g. "api.openai.com". Only used when kind=ExternalModel.
-                      This field is metadata for downstream consumers (e.g. BBR provider-resolver plugin)
-                      and is not used by the controller for endpoint derivation. Use spec.endpointOverride
-                      to override the controller-derived endpoint.
-                    maxLength: 253
-                    pattern: ^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$
-                    type: string
                   kind:
-                    description: Kind determines which fields are available
+                    description: |-
+                      Kind determines which backend handles this model reference.
+                      LLMInferenceService: references a KServe LLMInferenceService.
+                      ExternalModel: references an ExternalModel CR containing provider config.
                     enum:
                     - LLMInferenceService
                     - ExternalModel
                     type: string
                   name:
-                    description: Name is the name of the model resource
-                    type: string
-                  provider:
                     description: |-
-                      Provider identifies the API format and auth type for external models.
-                      e.g. "openai", "anthropic". Only used when kind=ExternalModel.
-                    maxLength: 63
+                      Name is the name of the model resource.
+                      For LLMInferenceService, this is the InferenceService name.
+                      For ExternalModel, this is the ExternalModel CR name.
+                    maxLength: 253
+                    minLength: 1
                     type: string
                 required:
                 - kind
                 - name
                 type: object
-                x-kubernetes-validations:
-                - message: provider is required when kind is ExternalModel
-                  rule: self.kind != 'ExternalModel' || has(self.provider) && self.provider
-                    != ''
             required:
             - modelRef
             type: object

deployment/base/maas-controller/crd/kustomization.yaml

@@ -1,5 +1,6 @@
 # This kustomization.yaml is used for CRD generation.
 resources:
+  - bases/maas.opendatahub.io_externalmodels.yaml
   - bases/maas.opendatahub.io_maasauthpolicies.yaml
   - bases/maas.opendatahub.io_maasmodelrefs.yaml
   - bases/maas.opendatahub.io_maassubscriptions.yaml

deployment/base/maas-controller/rbac/clusterrole.yaml

@@ -4,13 +4,13 @@ metadata:
   name: maas-controller-role
 rules:
 - apiGroups: ["maas.opendatahub.io"]
-  resources: ["maasauthpolicies", "maasmodelrefs", "maassubscriptions"]
+  resources: ["externalmodels", "maasauthpolicies", "maasmodelrefs", "maassubscriptions"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 - apiGroups: ["maas.opendatahub.io"]
-  resources: ["maasauthpolicies/finalizers", "maasmodelrefs/finalizers", "maassubscriptions/finalizers"]
+  resources: ["externalmodels/finalizers", "maasauthpolicies/finalizers", "maasmodelrefs/finalizers", "maassubscriptions/finalizers"]
   verbs: ["update"]
 - apiGroups: ["maas.opendatahub.io"]
-  resources: ["maasauthpolicies/status", "maasmodelrefs/status", "maassubscriptions/status"]
+  resources: ["externalmodels/status", "maasauthpolicies/status", "maasmodelrefs/status", "maassubscriptions/status"]
   verbs: ["get", "patch", "update"]
 - apiGroups: ["gateway.networking.k8s.io"]
   resources: ["gateways"]

docs/content/architecture.md

@@ -214,7 +214,7 @@ The MaaSAuthPolicy delegates to the MaaS API for key validation and subscription
 2. MaaS API validates the key (format, not revoked, not expired) and returns username, groups, and subscription.
 3. Authorino calls MaaS API to check subscription (groups, username, requested subscription from the key).
 4. If the user lacks access to the requested subscription → error (403).
-5. On success, returns selected subscription; Authorino caches the result (e.g., 60s TTL). AuthPolicy may inject `X-MaaS-Subscription` for downstream rate limiting.
+5. On success, returns selected subscription; Authorino caches the result (e.g., 60s TTL). AuthPolicy may inject `X-MaaS-Subscription` **server-side** for downstream rate limiting and metrics. Clients do not send this header on inference; subscription comes from the API key record created at mint time.
 
 ```mermaid
 graph TB

docs/content/configuration-and-management/maas-controller-overview.md

@@ -220,14 +220,11 @@ flowchart LR
 
 ## 9. Authentication (Current Behavior)
 
-For **GET /v1/models**, the API forwards the client’s **Authorization** header as-is to each model endpoint (no token exchange). For inference, until MaaS API token minting is in place, use the **OpenShift token**:
+For **GET /v1/models**, the maas-api forwards the client’s **Authorization** header as-is to each model endpoint (no token exchange). You can use an **OpenShift token** or an **API key** (`sk-oai-*`). With a user token, you may send `X-MaaS-Subscription` to filter when you have access to multiple subscriptions.
 
-```bash
-export TOKEN=$(oc whoami -t)
-curl -H "Authorization: Bearer $TOKEN" "https://<gateway-host>/llm/<model-name>/v1/chat/completions" -d '...'
-```
+For **model inference** (requests to `…/llm/<model>/v1/chat/completions` and similar), use an **API key** created via `POST /v1/api-keys` only. Each key is bound to one MaaSSubscription at mint time.
 
-The Kuadrant AuthPolicy validates this token via **Kubernetes TokenReview** and derives user/groups for authorization and for the identity passed to TokenRateLimitPolicy (including `groups_str`).
+The Kuadrant AuthPolicy validates API keys via the MaaS API and validates user tokens via `Kubernetes TokenReview`, deriving user/groups for authorization and for TokenRateLimitPolicy (including `groups_str`).
 
 ---
 

docs/content/configuration-and-management/maas-model-kinds.md

@@ -1,4 +1,4 @@
-# MaaSModelRef kinds (future)
+# MaaSModelRef Kinds
 
 The MaaS API lists models from **MaaSModelRef** CRs only. Each MaaSModelRef defines a **backend reference** (`spec.modelRef`) that identifies the type and location of the model endpoint—similar in spirit to how [Gateway API's BackendRef](https://gateway-api.sigs.k8s.io/reference/spec/#backendref) defines how a Route forwards requests to a Kubernetes resource (group, kind, name, namespace).
 
@@ -41,11 +41,31 @@ spec:
 
 The controller still validates the backend (HTTPRoute exists, LLMInferenceService is ready, etc.) — the override only affects the final endpoint URL written to `status.endpoint`. When the field is empty or omitted, the controller uses its normal discovery logic.
 
-## Current behavior
+## Supported Kinds
 
-- **Supported kind today:** `LLMInferenceService` (also accepts the alias `llmisvc` for backwards compatibility). The MaaS controller reconciles MaaSModelRefs whose **modelRef** points to an LLMInferenceService (by name and optional namespace). It sets `status.endpoint` from the LLMInferenceService status and `status.phase` from its readiness.
-- **API behavior:** The API reads MaaSModelRefs from the informer cache, maps each to an API model (`id`, `url`, `ready`, `kind`, etc.), then **validates access** by probing each model's `/v1/models` endpoint with the request's **Authorization header** (passed through as-is). Only models that return 2xx or 405 are included.
-- **Kind on the wire:** Each model in the GET /v1/models response can carry a `kind` field (e.g. `LLMInferenceService`) from `spec.modelRef.kind` for clients or tooling.
+### LLMInferenceService
+
+The `LLMInferenceService` kind (also accepts the alias `llmisvc` for backwards compatibility) references models deployed on the cluster via the LLMInferenceService CRD. The controller:
+- Sets `status.endpoint` from the LLMInferenceService status
+- Sets `status.phase` from LLMInferenceService readiness
+
+### ExternalModel
+
+The `ExternalModel` kind references external AI/ML providers (e.g., OpenAI, Anthropic, Azure OpenAI). When using this kind:
+1. Create an [ExternalModel](../reference/crds/external-model.md) CR with provider, endpoint, and credential reference
+2. Create a MaaSModelRef that references the ExternalModel by name
+
+The controller:
+- Fetches the ExternalModel CR from the same namespace
+- Validates the user-supplied HTTPRoute references the correct gateway
+- Derives `status.endpoint` from HTTPRoute hostnames or gateway addresses
+- Sets `status.phase` based on HTTPRoute acceptance by the gateway
+
+## API Behavior
+
+- The API reads MaaSModelRefs from the informer cache, maps each to an API model (`id`, `url`, `ready`, `kind`, etc.)
+- **Access validation**: Probes each model's `/v1/models` endpoint with the request's Authorization header. Only models that return 2xx or 405 are included.
+- **Kind on the wire**: Each model in the GET /v1/models response carries a `kind` field from `spec.modelRef.kind`
 
 ## Adding a new kind in the future
 

docs/content/configuration-and-management/model-listing-flow.md

@@ -64,8 +64,6 @@ The `/v1/models` endpoint automatically filters models based on your authenticat
 #### API Key Authentication (Bearer sk-oai-*)
 When using an API key, the subscription is automatically determined from the key:
 - Returns **only** models from the subscription bound to the API key at mint time
-- The `X-MaaS-Subscription` header is automatically injected by the gateway
-- **No manual headers required**
 
 ```bash
 # API key bound to "premium-subscription"

docs/content/configuration-and-management/quota-and-access-configuration.md

@@ -222,12 +222,6 @@ When a user belongs to multiple groups that each have a subscription, the access
 
 ## Troubleshooting
 
-### 403 Forbidden: "must specify X-MaaS-Subscription"
-
-**Cause:** User has multiple subscriptions and did not send the header.
-
-**Fix:** Add `X-MaaS-Subscription: <subscription-name>` to the request.
-
 ### 403 Forbidden: "no access to subscription"
 
 **Cause:** User requested a subscription they do not belong to (group membership).

docs/content/configuration-and-management/subscription-overview.md

@@ -6,7 +6,7 @@ MaaSAuthPolicy and MaaSSubscription are namespace-scoped to `models-as-a-service
 
 ```mermaid
 flowchart TD
-    User([User / App]) -- "Request (Model + SubID)" --> Gateway{MaaS API Gateway}
+    User([User / App]) -- "Request (API key + model)" --> Gateway{MaaS API Gateway}
 
     subgraph Validation ["Dual-Check Gate"]
         direction LR