This guide provides the essential commands for end-to-end validation of the MaaS platform.
Set environment variables:
export CONTROL_BASE="http://maas.apps.maas2.octo-emerging.redhataicoe.com"
export DATA_BASE="http://vllm-simulator-llm.apps.maas2.octo-emerging.redhataicoe.com"
export MODEL_ID="simulator-model"
export USER_ID="user-12345"JWT=$(curl -s -k -X POST "https://keycloak.apps.maas2.octo-emerging.redhataicoe.com/realms/maas/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=alice&password=password123&grant_type=password&client_id=maas-client&client_secret=maas-client-secret" | \
jq -r .access_token)
echo "JWT Token acquired: $(echo $JWT | cut -c1-20)..."TEAM_ID="demo-team-$(date +%s)"
curl -X POST "$CONTROL_BASE/teams" \
-H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '{
"team_id": "'$TEAM_ID'",
"team_name": "Demo Team",
"description": "Demo tenant",
"policy": "unlimited-policy"
}'
echo "Team created: $TEAM_ID"Response:
{
"team_id": "demo-team-1756758645",
"team_name": "Demo Team",
"description": "Demo tenant",
"policy": "unlimited-policy",
"created_at": "2025-09-01T20:30:45Z"
}POLICY_NAME="pro-plan-$(date +%s)"
POLICY_RESPONSE=$(curl -X POST "$CONTROL_BASE/policies" \
-H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '{
"name": "'$POLICY_NAME'",
"kind": "RateLimitPolicy",
"target_route": "inference-route",
"limits": {
"global": {
"rates": [{"limit": 50000, "window": "1h"}]
},
"team_plan": {
"rates": [{"limit": 10000, "window": "1h"}]
}
}
}')
POLICY_ID=$(echo "$POLICY_RESPONSE" | jq -r .policy_id)
echo "Policy created: $POLICY_ID"Response:
bd98642e-455b-4607-aa8e-23d78cbd78a3
curl -X PATCH "$CONTROL_BASE/teams/$TEAM_ID" \
-H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '{
"default_policy_id": "'$POLICY_ID'"
}'
echo "Team default policy set"Response:
{"message":"Team updated successfully","team_id":"demo-team-1756758645"}curl -X POST "$CONTROL_BASE/teams/$TEAM_ID/members" \
-H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '{
"user_id": "'$USER_ID'",
"role": "member"
}'
echo "Member added to team"{
"added_at": "2025-09-01T20:40:41Z",
"added_by": "c3023736-e098-4a7e-8891-2675a8ee81db",
"message": "User added to team successfully",
"role": "member",
"team_id": "demo-team-1756758645",
"user_id": "user-12345"
}curl -X POST "$CONTROL_BASE/teams/$TEAM_ID/grants" \
-H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '{
"user_id": null,
"model_id": "'$MODEL_ID'",
"role": "invoke"
}'
echo "Model access granted"API_KEY_RESPONSE=$(curl -X POST "$CONTROL_BASE/teams/$TEAM_ID/keys" \
-H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '{
"user_id": "'$USER_ID'",
"alias": "alice-dev"
}')
API_KEY=$(echo "$API_KEY_RESPONSE" | jq -r .api_key)
KEY_ID=$(echo "$API_KEY_RESPONSE" | jq -r .secret_name)
echo "API key created: $API_KEY"
echo "Key ID: $KEY_ID"Response:
{
"api_key": "ah-U2GyD8jtGf0_uFCOvbWUjCnPshf-13DWiN8-wA48kiqKS",
"user_id": "user-12345",
"team_id": "demo-team-1756758645",
"secret_name": "apikey-user-12345-demo-team-1756758645-45bb587f",
"policy": "pro-plan-1756758734",
"created_at": "2025-09-01T20:43:30Z",
"inherited_policies": {
"policy": "pro-plan-1756758734",
"role": "member",
"team_id": "demo-team-1756758645",
"team_name": "Demo Team"
}
}curl -X POST "$DATA_BASE/v1/chat/completions" \
-H "Authorization: APIKEY $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "'$MODEL_ID'",
"messages": [
{
"role": "user",
"content": "hello"
}
],
"max_tokens": 16
}'kubectl get tokenratelimitpolicy gateway-token-rate-limits -n llm -o yamlPolicy section output:
spec:
limits:
pro-plan-1756758734:
counters:
- expression: auth.identity.userid
rates:
- limit: 100000
window: 1h
when:
- predicate: auth.identity.groups.split(",").exists(g, g == "pro-plan-1756758734")
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: inference-gatewaykubectl get secret $KEY_ID -n llm -o yamlcurl -X GET "$CONTROL_BASE/teams/$TEAM_ID" \
-H "Authorization: Bearer $JWT"Output:
{
"created_at": "2025-09-01T20:30:45Z",
"description": "Demo tenant",
"key_count": 1,
"keys": [
"apikey-user-12345-demo-team-1756758645-45bb587f"
],
"policy": "pro-plan-1756758734",
"team_id": "demo-team-1756758645",
"team_name": "Demo Team",
"user_count": 1,
"users": [
{
"user_id": "user-12345",
"user_email": "[email protected]",
"role": "member",
"team_id": "demo-team-1756758645",
"team_name": "Demo Team",
"joined_at": "2025-09-01T20:43:30Z",
"policy": "pro-plan-1756758734"
}
]
}curl -X GET "$CONTROL_BASE/policies" \
-H "Authorization: Bearer $JWT"Run the complete workflow:
./end-to-end-test.sh# Delete team (cascades to keys and memberships)
curl -X DELETE "$CONTROL_BASE/teams/$TEAM_ID" \
-H "Authorization: Bearer $JWT"
# Delete policy
curl -X DELETE "$CONTROL_BASE/policies/$POLICY_ID" \
-H "Authorization: Bearer $JWT"Check key-manager logs:
kubectl logs deployment/key-manager -n llm --tail=50Check TokenRateLimitPolicy status:
kubectl describe tokenratelimitpolicy gateway-token-rate-limits -n llmCheck AuthPolicy status:
kubectl describe authpolicy control-plane-auth -n llm