feat: require tokenRateLimits and remove tokenRateLimitRef for 3.4

[somya-bhatnagar]

Summary

Related to - https://redhat.atlassian.net/browse/RHOAIENG-55976

This PR makes tokenRateLimits required on each MaaSSubscription model reference and removes the unused tokenRateLimitRef field from the CRD.

Changes

API Changes

• ✅ Removed tokenRateLimitRef field from ModelSubscriptionRef
• ✅ Made tokenRateLimits required with MinItems=1 validation
• ✅ Regenerated CRD manifests and deepcopy code

Tests

• ✅ Fixed 4 unit tests (added missing field indexes)
• ✅ All tests passing
• ✅ Live cluster validation complete

Documentation

• ✅ Updated CRD reference docs
• ✅ Updated architecture overview
• ✅ Created migration guide: docs/content/migration/tokenratelimits-required-3.4.md
• ✅ Added v3.4.0 release notes with breaking change notice

Live Cluster Testing Results (https://console-openshift-console.apps.ci-ln-hdzds3t-76ef8.aws-4.ci.openshift.org/)

Deployed custom controller and verified:

• ✅ Subscriptions without tokenRateLimits → REJECTED with "Required value" error
• ✅ Subscriptions with tokenRateLimits → ACCEPTED
• ✅ Subscriptions with old tokenRateLimitRef → REJECTED with "unknown field" error
• ✅ Controller reconciliation working correctly
• ✅ No RBAC errors

Migration Impact

Before (3.3 and earlier):

modelRefs:
  - name: my-model
    namespace: llm
    tokenRateLimits:  # Optional
      - limit: 1000
        window: 1m
    tokenRateLimitRef: "some-ref"  # Unused by controller

After (3.4+):

modelRefs:
  - name: my-model
    namespace: llm
    tokenRateLimits:  # REQUIRED - at least one
      - limit: 1000
        window: 1m
    # tokenRateLimitRef removed

Migration Guide

See detailed migration instructions in docs/content/migration/tokenratelimits-required-3.4.md

Users must add inline tokenRateLimits to all MaaSSubscription resources before upgrading to 3.4.

Acceptance Criteria

All criteria from the user story met:

• tokenRateLimitRef not present in API
• Each modelRefs entry must include non-empty tokenRateLimits
• Validation rejects non-compliant resources with clear messages
• Tests cover required limits, no tokenRateLimitRef references
• Generated CRD YAML matches types
• Documentation updated
• Migration guide provided
• Breaking change documented in release notes

Files Changed

• maas-controller/api/maas/v1alpha1/maassubscription_types.go - API types
• deployment/base/maas-controller/crd/bases/maas.opendatahub.io_maassubscriptions.yaml - CRD manifest
• maas-controller/api/maas/v1alpha1/zz_generated.deepcopy.go - Generated code
• maas-controller/pkg/controller/maas/maassubscription_controller_test.go - Test fixes
• docs/content/configuration-and-management/maas-controller-overview.md - Architecture docs
• docs/content/reference/crds/maas-subscription.md - CRD reference
• docs/content/migration/tokenratelimits-required-3.4.md - Migration guide (new)
• docs/content/release-notes/index.md - Release notes

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Breaking Changes

  • Rate limit configuration for each model subscription is now mandatory and must be specified inline rather than referenced externally
  • At least one rate limit entry is required per model
  • Rate limit values must be greater than zero

• Documentation

  • Updated configuration and CRD documentation to reflect new rate limit requirements

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes remove the optional tokenRateLimitRef field from ModelSubscriptionRef and make the tokenRateLimits array required with a minimum of one entry. The limit field within each TokenRateLimit entry now enforces a minimum value of 1. These schema changes are reflected across the CRD definition, Go type definitions, generated deepcopy logic, test fixtures, and documentation files. The modification represents a breaking API change that consolidates rate-limit specification into a single required mechanism.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: removing tokenRateLimitRef and making tokenRateLimits required in the v3.4 release.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

maas-controller/pkg/controller/maas/maassubscription_controller_test.go (1)

400-400: Replace duplicated "spec.modelRef" literals with the shared index-key symbol.

Hardcoding the field index key in multiple tests is drift-prone. Use the same key symbol used by the reconciler setup.

Proposed refactor

-		WithIndex(&maasv1alpha1.MaaSSubscription{}, "spec.modelRef", subscriptionModelRefIndexer).
+		WithIndex(&maasv1alpha1.MaaSSubscription{}, modelRefIndexKey, subscriptionModelRefIndexer).

Apply the same replacement at Line 496, Line 722, and Line 816.

Also applies to: 496-496, 722-722, 816-816

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@maas-controller/pkg/controller/maas/maassubscription_controller_test.go` at
line 400, Replace the hardcoded "spec.modelRef" string in the test WithIndex
calls with the reconciler's shared index-key symbol (use the same constant used
in reconciler setup, e.g. subscriptionModelRefIndexKey) instead of the literal;
update the calls that currently pass "spec.modelRef" (they also pass
subscriptionModelRefIndexer) so they read
WithIndex(&maasv1alpha1.MaaSSubscription{}, subscriptionModelRefIndexKey,
subscriptionModelRefIndexer), and make the same replacement at the other test
sites where "spec.modelRef" is duplicated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/content/migration/tokenratelimits-required-3.4.md`:
- Around line 95-98: Change the code fence language from bash to yaml for the
example showing the YAML key tokenRateLimitRef so the snippet is valid YAML and
won't be mis-copied; locate the block containing the fenced code that currently
begins with ```bash and replace the fence language with ```yaml (or
alternatively provide an actual shell command if you intend a bash example) so
the shown content (tokenRateLimitRef: "some-ref") is correctly labeled.

In `@maas-controller/api/maas/v1alpha1/maassubscription_types.go`:
- Around line 67-68: The TokenRateLimit.Limit field currently allows
zero/negative values; add a Kubebuilder validation marker to enforce a minimum
of 1 on the Limit field. In the maassubscription_types.go TokenRateLimit struct,
add a comment tag like +kubebuilder:validation:Minimum=1 immediately above the
Limit field declaration and regenerate CRD YAMLs if needed so the API rejects
values <1. Ensure the marker is applied to the Limit field name (Limit) so the
controller and admission validation enforce the constraint.

---

Nitpick comments:
In `@maas-controller/pkg/controller/maas/maassubscription_controller_test.go`:
- Line 400: Replace the hardcoded "spec.modelRef" string in the test WithIndex
calls with the reconciler's shared index-key symbol (use the same constant used
in reconciler setup, e.g. subscriptionModelRefIndexKey) instead of the literal;
update the calls that currently pass "spec.modelRef" (they also pass
subscriptionModelRefIndexer) so they read
WithIndex(&maasv1alpha1.MaaSSubscription{}, subscriptionModelRefIndexKey,
subscriptionModelRefIndexer), and make the same replacement at the other test
sites where "spec.modelRef" is duplicated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 583f99f8-4c9d-415a-933e-b1695bad7699

📥 Commits

Reviewing files that changed from the base of the PR and between 0b67ec8 and 9f63574.

📒 Files selected for processing (8)

• deployment/base/maas-controller/crd/bases/maas.opendatahub.io_maassubscriptions.yaml
• docs/content/configuration-and-management/maas-controller-overview.md
• docs/content/migration/tokenratelimits-required-3.4.md
• docs/content/reference/crds/maas-subscription.md
• docs/content/release-notes/index.md
• maas-controller/api/maas/v1alpha1/maassubscription_types.go
• maas-controller/api/maas/v1alpha1/zz_generated.deepcopy.go
• maas-controller/pkg/controller/maas/maassubscription_controller_test.go

💤 Files with no reviewable changes (1)

• maas-controller/api/maas/v1alpha1/zz_generated.deepcopy.go

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

maas-controller/api/maas/v1alpha1/maassubscription_types.go (1)

67-68: Validation correctly enforces non-empty tokenRateLimits.

The MinItems=1 marker and removal of omitempty properly enforce that each model reference must have at least one rate limit defined at admission time.

However, this change creates dead code in maas-controller/pkg/controller/maas/maassubscription_controller.go lines 212-217. The guard if len(mRef.TokenRateLimits) > 0 and its else branch (default 100-token fallback) can never be reached since the API now guarantees at least one item.

,

Consider removing the dead code path in a follow-up:

 for _, mRef := range sub.Spec.ModelRefs {
     if mRef.Namespace != modelNamespace || mRef.Name != modelName {
         continue
     }
     var rates []interface{}
-    if len(mRef.TokenRateLimits) > 0 {
-        for _, trl := range mRef.TokenRateLimits {
-            rates = append(rates, map[string]interface{}{"limit": trl.Limit, "window": trl.Window})
-        }
-    } else {
-        rates = append(rates, map[string]interface{}{"limit": int64(100), "window": "1m"})
+    for _, trl := range mRef.TokenRateLimits {
+        rates = append(rates, map[string]interface{}{"limit": trl.Limit, "window": trl.Window})
     }
     subs = append(subs, subInfo{sub: sub, mRef: mRef, rates: rates})
     break
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@maas-controller/api/maas/v1alpha1/maassubscription_types.go` around lines 67
- 68, Remove the dead branch that checks len(mRef.TokenRateLimits) > 0 in
maassubscription_controller.go and its else fallback to the 100-token default
(the guard and fallback are no longer reachable because the CRD enforces
MinItems=1 on TokenRateLimits); update the logic that reads rate limits
(references to mRef.TokenRateLimits and the code handling the
empty-case/default) to directly consume the guaranteed entries (e.g., use the
first TokenRateLimit or iterate over TokenRateLimits as intended) and delete the
unreachable else-path and related comments so the controller assumes at least
one rate limit per model reference.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/content/migration/tokenratelimits-required-3.4.md`:
- Around line 141-143: The markdown fenced code blocks showing error messages
(e.g., the blocks containing "Error: spec.modelRefs[0].tokenRateLimits: Required
value", "Error: unknown field \"spec.modelRefs[0].tokenRateLimitRef\"", and
"Error: spec.modelRefs[0].tokenRateLimits: Invalid value: \"array\": must have
at least 1 items") need a language specifier to satisfy MD040; edit the three
affected code fences in docs/content/migration/tokenratelimits-required-3.4.md
(the blocks around those exact error strings) and add `text` after the opening
``` so each becomes ```text.

---

Nitpick comments:
In `@maas-controller/api/maas/v1alpha1/maassubscription_types.go`:
- Around line 67-68: Remove the dead branch that checks
len(mRef.TokenRateLimits) > 0 in maassubscription_controller.go and its else
fallback to the 100-token default (the guard and fallback are no longer
reachable because the CRD enforces MinItems=1 on TokenRateLimits); update the
logic that reads rate limits (references to mRef.TokenRateLimits and the code
handling the empty-case/default) to directly consume the guaranteed entries
(e.g., use the first TokenRateLimit or iterate over TokenRateLimits as intended)
and delete the unreachable else-path and related comments so the controller
assumes at least one rate limit per model reference.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 54f32997-624b-4c68-a937-fb3846c63fbf

📥 Commits

Reviewing files that changed from the base of the PR and between 9f63574 and 54efa64.

📒 Files selected for processing (3)

• deployment/base/maas-controller/crd/bases/maas.opendatahub.io_maassubscriptions.yaml
• docs/content/migration/tokenratelimits-required-3.4.md
• maas-controller/api/maas/v1alpha1/maassubscription_types.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language specifier to error message code blocks.

Per markdownlint MD040, fenced code blocks should have a language specified. Use text for error messages.

Proposed fix

 ### Missing tokenRateLimits

-```
+```text
 Error: spec.modelRefs[0].tokenRateLimits: Required value

Solution: Add at least one tokenRateLimits entry to each model reference.

Using tokenRateLimitRef

- +text
Error: unknown field "spec.modelRefs[0].tokenRateLimitRef"

**Solution:** Remove `tokenRateLimitRef` field and use inline `tokenRateLimits` instead.

### Empty tokenRateLimits array

-```
+```text
Error: spec.modelRefs[0].tokenRateLimits: Invalid value: "array": must have at least 1 items

</details>


Also applies to: 149-151, 157-159

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.0)</summary>

[warning] 141-141: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/content/migration/tokenratelimits-required-3.4.md around lines 141 -
143, The markdown fenced code blocks showing error messages (e.g., the blocks
containing "Error: spec.modelRefs[0].tokenRateLimits: Required value", "Error:
unknown field "spec.modelRefs[0].tokenRateLimitRef"", and "Error:
spec.modelRefs[0].tokenRateLimits: Invalid value: "array": must have at least
1 items") need a language specifier to satisfy MD040; edit the three affected
code fences in docs/content/migration/tokenratelimits-required-3.4.md (the
blocks around those exact error strings) and add text after the opening so each becomestext.

</details>

<!-- fingerprinting:phantom:medusa:ocelot:fe928791-81e3-4f86-8631-846ee7d81f1d -->

<!-- This is an auto-generated comment by CodeRabbit -->

[jland-redhat]

Looks good but I think we can just remove the breaking change piece.

Once that is out I will LGTM

[jland-redhat]

Mentioned this in the comments but we do not need a migration plan for this one.

It will be covered by our overall migration plan

[somya-bhatnagar]

Understood, will get rid of this.

[jland-redhat]

As noted above all of these objects are new so everything is breaking :)

We do need to add that to the release notes in a general sense but we don't need this change noted.

[somya-bhatnagar]

Agree, updated.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/content/release-notes/index.md`:
- Around line 7-9: The release note entry for v3.4.0 is too generic about
breaking CRD/API changes; update the v3.4.0 section in
docs/content/release-notes/index.md to list exact schema deltas for the new MaaS
CRDs (MaaSModelRef, MaaSAuthPolicy, MaaSSubscription): enumerate added required
fields, removed/renamed fields, changed field types, default value changes, and
any new validation/webhook behaviors, and include concrete migration steps
(e.g., field mappings or example kubectl patch commands) so operators can
perform upgrades safely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a74084ed-d08d-4f46-90a1-764249e1f3d6

📥 Commits

Reviewing files that changed from the base of the PR and between 54efa64 and fd4cda3.

📒 Files selected for processing (1)

• docs/content/release-notes/index.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Document the exact breaking schema changes in this release note entry.

This text is too generic for a breaking CRD/API change and can lead to upgrade failures because it does not name the required/removed fields. Add the concrete migration-critical deltas directly in v3.4.0 notes.

Suggested edit

-Version 3.4.0 introduces new CRDs and API resources that are not compatible with previous versions. All MaaS custom resources (`MaaSModelRef`, `MaaSAuthPolicy`, `MaaSSubscription`) are new in this release.
+Version 3.4.0 introduces breaking MaaSSubscription schema changes:
+- `spec.modelRefs[].tokenRateLimits` is now required and must contain at least one item (`minItems: 1`).
+- `spec.modelRefs[].tokenRateLimitRef` has been removed.
+- `spec.modelRefs[].tokenRateLimits[].limit` now enforces `minimum: 1`.
+Resources missing `tokenRateLimits` will be rejected by validation after upgrade.
 
-**Migration:** See the overall migration plan for detailed upgrade instructions from previous versions.
+**Migration:** Update all `MaaSSubscription` resources to inline `tokenRateLimits` before upgrading. See `docs/content/migration/tokenratelimits-required-3.4.md`.

As per coding guidelines, "REVIEW PRIORITIES: ... 3. Bug-prone patterns and error handling gaps".

🧰 Tools

🪛 LanguageTool

[style] ~7-~7: Consider using “incompatible” to avoid wordiness.
Context: ...ces new CRDs and API resources that are not compatible with previous versions. All MaaS custom...

(NOT_ABLE_PREMIUM)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/content/release-notes/index.md` around lines 7 - 9, The release note
entry for v3.4.0 is too generic about breaking CRD/API changes; update the
v3.4.0 section in docs/content/release-notes/index.md to list exact schema
deltas for the new MaaS CRDs (MaaSModelRef, MaaSAuthPolicy, MaaSSubscription):
enumerate added required fields, removed/renamed fields, changed field types,
default value changes, and any new validation/webhook behaviors, and include
concrete migration steps (e.g., field mappings or example kubectl patch
commands) so operators can perform upgrades safely.

[jland-redhat]

lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jland-redhat, somya-bhatnagar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jland-redhat,somya-bhatnagar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment