test(maas): add multiple subscription selection tests for TinyLlama

[SB159]

Pull Request

Summary

Adds tests to validate behavior when multiple MaaS subscriptions exist for the same model.
Tests verify that users can access the model when explicitly selecting a valid subscription and are denied when selecting a subscription they do not belong to.

How it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Tests
  • Added a test suite validating multiple-subscription scenarios for a single model: explicit selection between subscriptions, explicit selection of a higher-priority subscription, and service-account access denial for subscriptions it doesn’t belong to.
  • Added supporting test utilities for polling request outcomes and programmatically creating subscriptions to drive those test scenarios.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/wip', '/hold', '/cherry-pick', '/lgtm', '/verified', '/build-push-pr-image'}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new test module exercising multiple MAAS subscriptions per model and accompanying utilities to create subscriptions and poll endpoints; tests cover explicit subscription selection, priority selection, and service-account access restrictions.

Changes

Cohort / File(s)	Summary
MAAS Subscription Test Module tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py	Adds TestMultipleSubscriptionsPerModel with three tests: user access when multiple subscriptions exist, explicit selection of a higher-priority subscription, and ensuring a service account cannot use a subscription it does not belong to.
MAAS Subscription Testing Utilities tests/model_serving/model_server/maas_billing/maas_subscription/utils.py	Adds poll_expected_status to poll an HTTP model endpoint until expected status codes are observed (configurable timeout/sleep/request timeouts) and create_maas_subscription helper to instantiate MaaSSubscription objects; adds LOGGER and imports for typing and Kubernetes DynamicClient.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description covers the main summary and testing status, but is missing the 'Related Issues' section with issue/JIRA links that the template requires.	Add 'Related Issues' section with relevant GitHub issue or JIRA ticket links to complete the PR description template.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding tests for multiple subscription selection behavior in MaaS with TinyLlama model.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py (1)

56-66: Use unique resource names to reduce e2e flakiness in shared environments.

Hardcoded names increase collision risk across retries/parallel runs and can cause intermittent AlreadyExists failures. Prefer a per-test unique suffix for subscription/policy/service-account names.

Suggested pattern

+import uuid
...
+suffix = uuid.uuid4().hex[:6]
...
-            subscription_name="extra-subscription",
+            subscription_name=f"extra-subscription-{suffix}",
...
-            subscription_name="high-tier-subscription",
+            subscription_name=f"high-tier-subscription-{suffix}",
...
-                name="service-account-access-policy",
+                name=f"service-account-access-policy-{suffix}",
...
-                subscription_name="premium-subscription",
+                subscription_name=f"premium-subscription-{suffix}",
...
-                name=service_account_name,
+                name=f"{service_account_name}-{suffix}",

Also applies to: 111-121, 167-193

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py`
around lines 56 - 66, The test uses hardcoded resource names in calls to
create_maas_subscription (e.g., subscription_name="extra-subscription",
owner_group_name="nonexistent-group-xyz") which can collide in shared/e2e runs;
update these calls to generate per-test unique names (for example append a short
uuid, timestamp, or pytest node id) when constructing subscription_name,
owner_group_name, and any policy/service-account names referenced in the same
test (also update the other occurrences around the ranges noted). Locate the
create_maas_subscription invocations and replace static literals with a name
builder (e.g., f"extra-subscription-{unique_suffix}") so each test run produces
distinct resources while keeping the rest of the call arguments and teardown
logic unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py`:
- Around line 205-215: The test currently allows either 403 or 429 from
poll_expected_status which masks authorization failures; update the call to
poll_expected_status (in test_multiple_subscriptions_per_model.py) to expect
only {403} and change the subsequent assertion to assert response.status_code ==
403 (and keep the same error message context) so the test deterministically
verifies unauthorized subscription use rather than allowing throttling (429) to
satisfy the check.

---

Nitpick comments:
In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py`:
- Around line 56-66: The test uses hardcoded resource names in calls to
create_maas_subscription (e.g., subscription_name="extra-subscription",
owner_group_name="nonexistent-group-xyz") which can collide in shared/e2e runs;
update these calls to generate per-test unique names (for example append a short
uuid, timestamp, or pytest node id) when constructing subscription_name,
owner_group_name, and any policy/service-account names referenced in the same
test (also update the other occurrences around the ranges noted). Locate the
create_maas_subscription invocations and replace static literals with a name
builder (e.g., f"extra-subscription-{unique_suffix}") so each test run produces
distinct resources while keeping the rest of the call arguments and teardown
logic unchanged.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 394a748 and 9e5130f.

📒 Files selected for processing (2)

• tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py
• tests/model_serving/model_server/maas_billing/maas_subscription/utils.py

[coderabbitai]

♻️ Duplicate comments (1)

tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py (1)

211-216: ⚠️ Potential issue | 🟡 Minor

Document temporary dual-status assertion with a TODO.

Given Line 211/Line 214 intentionally allow both 403 and 429 for now, add an inline TODO (ideally with a tracking issue) so this doesn’t remain permissive after behavior is finalized.

Suggested update

             response = poll_expected_status(
                 request_session_http=request_session_http,
                 model_url=model_url_tinyllama_free,
                 headers=headers,
                 payload=payload,
+                # TODO(<tracking-ticket>): tighten to {403} once denial status is finalized.
                 expected_statuses={403, 429},
             )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py`
around lines 211 - 216, The test currently allows both 403 and 429 for the same
assertion (the assert on response.status_code and the expected_statuses={403,
429} call); add an inline TODO comment immediately above this assertion
referencing a tracking issue (e.g. TODO: tighten behavior to 403 only once
ISSUE-XXXX is resolved) so the temporary dual-status permissiveness is
documented and revisited—place the comment next to the assert that checks
response.status_code and/or the expected_statuses argument.

🧹 Nitpick comments (1)

tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py (1)

58-59: Use unique resource names to reduce CI collision risk.

Static names (e.g., extra-subscription, premium-subscription, test-service-account) can conflict in shared or retried environments. Prefer per-test unique suffixes.

Suggested pattern

+import uuid
...
+suffix = uuid.uuid4().hex[:6]
 with create_maas_subscription(
     admin_client=admin_client,
-    subscription_name="extra-subscription",
+    subscription_name=f"extra-subscription-{suffix}",
...
-    subscription_name="high-tier-subscription",
+    subscription_name=f"high-tier-subscription-{suffix}",
...
-    name="service-account-access-policy",
+    name=f"service-account-access-policy-{suffix}",
...
-    subscription_name="premium-subscription",
+    subscription_name=f"premium-subscription-{suffix}",
...
- service_account_name = "test-service-account"
+ service_account_name = f"test-service-account-{suffix}"

Also applies to: 114-115, 171-172, 180-180, 192-192

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py`
around lines 58 - 59, The test uses static resource names (e.g., the
subscription_name values "extra-subscription", "premium-subscription" and
service account or group names like "test-service-account") which cause CI
collisions; update the test helper calls in this test to generate unique names
by appending a per-test suffix (timestamp, short UUID or pytest nodeid) when
creating subscriptions/owner groups/service accounts (where subscription_name
and owner_group_name are passed) and apply the same pattern to the other
occurrences mentioned (the other subscription_name and service/account strings
in the file). Locate the places constructing subscriptions (calls that pass
subscription_name="...") and replace the literal with a generated name variable
(e.g., f"{base_name}-{unique_suffix}") so each test run uses unique resource
names.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py`:
- Around line 211-216: The test currently allows both 403 and 429 for the same
assertion (the assert on response.status_code and the expected_statuses={403,
429} call); add an inline TODO comment immediately above this assertion
referencing a tracking issue (e.g. TODO: tighten behavior to 403 only once
ISSUE-XXXX is resolved) so the temporary dual-status permissiveness is
documented and revisited—place the comment next to the assert that checks
response.status_code and/or the expected_statuses argument.

---

Nitpick comments:
In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py`:
- Around line 58-59: The test uses static resource names (e.g., the
subscription_name values "extra-subscription", "premium-subscription" and
service account or group names like "test-service-account") which cause CI
collisions; update the test helper calls in this test to generate unique names
by appending a per-test suffix (timestamp, short UUID or pytest nodeid) when
creating subscriptions/owner groups/service accounts (where subscription_name
and owner_group_name are passed) and apply the same pattern to the other
occurrences mentioned (the other subscription_name and service/account strings
in the file). Locate the places constructing subscriptions (calls that pass
subscription_name="...") and replace the literal with a generated name variable
(e.g., f"{base_name}-{unique_suffix}") so each test run uses unique resource
names.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

Run ID: 634142ce-548f-4c57-955a-4a60832dea07

📥 Commits

Reviewing files that changed from the base of the PR and between 9e5130f and 8c8e352.

📒 Files selected for processing (1)

• tests/model_serving/model_server/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.