feat: MaaSAuthPolicy/MaaSSubscription support for inference.opendatahub.io ExternalModels

[yossiovadia]

Context

The new inference.opendatahub.io/v1alpha1 ExternalModel CRDs (being added in ai-gateway-payload-processing#183 / #184) create HTTPRoutes via the BBR ExternalModel controller. However, the MaaS controller currently only creates AuthPolicies and TokenRateLimitPolicies for maas.opendatahub.io ExternalModels.

This means models deployed via the new CRDs have no Kuadrant auth protection — the gateway-level default-deny blocks them entirely, and there's no per-route AuthPolicy to enable authenticated access.

See: ai-gateway-payload-processing#235 for the original discussion. Nir confirmed this is MaaS scope.

What needs to change

The MaaSAuthPolicy and MaaSSubscription reconcilers need to support inference.opendatahub.io ExternalModels in addition to maas.opendatahub.io ones. This likely means:

1. MaaSModelRef should be able to reference ExternalModels from both API groups
2. The reconcilers that generate Kuadrant AuthPolicy and TokenRateLimitPolicy should work for HTTPRoutes created by either the MaaS ExternalModel reconciler or the BBR ExternalModel controller

The API group change should be straightforward — the generated Kuadrant resources target HTTPRoutes by name, and the HTTPRoute name matches the ExternalModel name regardless of which reconciler created it.

Acceptance criteria

• Models deployed via inference.opendatahub.io ExternalModel CRDs can be protected by MaaSAuthPolicy
• Models deployed via inference.opendatahub.io ExternalModel CRDs can have rate limits via MaaSSubscription
• Existing maas.opendatahub.io ExternalModel auth continues to work unchanged

cc @nirrozenbaum @jland-redhat

[jland-redhat]

Yeah this makes sense to me. Will make the move over fairly easy, just need to make sure we take into account both groups and have separate test for each.

[yossiovadia]

Hey @jland-redhat , as discussed on #865 , please take this one however u see fit :)