feat: enable x-api-key inbound authentication when IPP ExternalModel uses messages API format

[ishitasequeira]

Description

Clients using SDKs that send credentials via x-api-key instead of Authorization: Bearer are currently rejected at the gateway. This PR detects when an IPP ExternalModel with apiFormat: "messages" exists and automatically adds an api-keys-x-api-key identity source to the gateway AuthPolicy, removing it when no longer needed.

Summary

• Dynamically add an api-keys-x-api-key identity source to the gateway AuthPolicy when an IPP ExternalModel CR with apiFormat: "messages" exists on the cluster
• The controller discovers IPP ExternalModel CRs (unstructured client, no Go module dependency) and checks if any externalProviderRefs[].apiFormat is "messages" (Anthropic SDK)
• Identity normalization: the api-keys-x-api-key source uses "Bearer " + request.headers["x-api-key"] so downstream Authorino logic (validation, OPA) sees the same format regardless
  of inbound header
• When no apiFormat: "messages" ExternalModel exists, the identity source is removed — zero impact on clusters without IPP

How Has This Been Tested?

• Manually tested cases
  ╔══════════════════════════════════════════════════════════════╗
  ║ E2E TEST RESULTS ║
  ╠══════════════════════════════════════════════════════════════╣
  ║ STEP 1: Baseline (no ExternalModel with apiFormat=messages) ║
  ║ 1a: Authorization: Bearer works HTTP 200 PASS ║
  ║ 1b: x-api-key rejected HTTP 401 PASS ║
  ╠══════════════════════════════════════════════════════════════╣
  ║ STEP 2-3: Create ExternalModel, trigger reconcile ║
  ║ Controller: xAPIKeyEnabled=true PASS ║
  ║ AuthPolicy: api-keys-x-api-key present PASS ║
  ╠══════════════════════════════════════════════════════════════╣
  ║ STEP 4: x-api-key authentication ║
  ║ 4a: x-api-key: sk-oai-* works HTTP 200 PASS ║
  ║ 4b: Authorization: Bearer still works HTTP 200 PASS ║
  ║ 4c: Invalid x-api-key rejected HTTP 401 PASS ║
  ║ 4d: Non-sk-oai prefix rejected HTTP 401 PASS ║
  ║ 4e: Both headers (no conflict) HTTP 200 PASS ║
  ╠══════════════════════════════════════════════════════════════╣
  ║ STEP 5: Full inference response with x-api-key PASS ║
  ╠══════════════════════════════════════════════════════════════╣
  ║ STEP 6: Cleanup and fallback ║
  ║ api-keys-x-api-key removed from AuthPolicy PASS ║
  ║ Controller: xAPIKeyEnabled=false PASS ║
  ║ 6a: x-api-key stops working HTTP 401 PASS ║
  ║ 6b: Authorization: Bearer still works HTTP 200 PASS ║
  ╠══════════════════════════════════════════════════════════════╣
  ║ ALL 11 TESTS PASSED ║
  ╚══════════════════════════════════════════════════════════════╝

• e2e testing

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ishitasequeira

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ishitasequeira]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Review limit reached

@ishitasequeira, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 34 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 044eec7d-6e90-459b-8a1d-f609038bac1c

📥 Commits

Reviewing files that changed from the base of the PR and between b7e27a5 and 76d0a7c.

📒 Files selected for processing (6)

• deployment/base/maas-controller/rbac/clusterrole.yaml
• maas-controller/pkg/controller/maas/maasauthpolicy_controller.go
• maas-controller/pkg/controller/maas/maasauthpolicy_controller_test.go
• maas-controller/pkg/controller/maas/maasauthpolicy_gateway_aggregate_test.go
• maas-controller/pkg/controller/maas/providers_test.go
• test/e2e/tests/test_x_api_key_auth.py

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rhods-ci-bot]

@ishitasequeira: The following test has Succeeded:

OCI Artifact Browser URL

View in Artifact Browser

Inspecting Test Artifacts Manually

To inspect your test artifacts manually, follow these steps:

1. Install ORAS (see the ORAS installation guide).
2. Download artifacts with the following commands:

mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/opendatahub/odh-ci-artifacts:maas-group-test-68tdb