nerdalert

Multi-Turn BBR+MaaS Validation Output

• Anthropic multi-turn validation (the errors at turn 8 are TRLP and expected as part of the test)

HOST="https://maas.$(kubectl get ingress.config.openshift.io/cluster -o jsonpath='{.spec.domain}')"
TOKEN=$(oc whoami -t)

nerdalert

MaaS PR662 Install Log

$ ./scripts/deploy.sh --operator-type odh
[INFO] ===================================================
[INFO]   Models-as-a-Service Deployment
[INFO] ===================================================
[INFO] Validating configuration...
[INFO] Configuration validated successfully

nerdalert

MaaS API RBAC Fix

Root Cause

Breakage when deploying MaaS with: ./scripts/deploy.sh --operator-type odh

maas-api pods crash with CrashLoopBackOff because the opendatahub:maas-api service account lacks:

1. Permission to read the maas-db-config secret in opendatahub namespace
2. Permission to list maasmodelrefs and maassubscriptions CRDs

nerdalert

TLS Skip

tlsInsecureSkipVerify to ExternalModel spec validation with PR: opendatahub-io/models-as-a-service#646

• Commands to validate:

# Discover gateway
  HOST=$(kubectl get maasmodelref facebook-opt-125m-simulated -n llm \
    -o jsonpath='{.status.endpoint}' | sed -E 's#(https://[^/]+).*#\1#')

nerdalert

MaaS Istio External Mode Routing Validation

All three models (local + OpenAI + Anthropic) work through the MaaS gateway using the same sk-oai-* API key minted via the MaaS API.

Demo: External Model Routing with Istio ServiceEntry & DestinationRule

I didn't add the model listing to this validation but you can see an example modifications to MaaS required in egress-ai-gateway-poc/patches/maas-api-external-model-listing.patch. This patch adds ConfigMap-based external model listing to the MaaS API — it reads from an external-model-registry ConfigMap in the MaaS namespace and merges those models into the GET /v1/models response. I have tested that a couple of weeks ago with ghcr.io/nerdalert/maas-api:external-models.

Environment

nerdalert

$ ./scripts/validate.sh  all
Discovering gateway address...
  Found LoadBalancer hostname: http://a38603e70f1d34daa841061646a16427-402819449.us-east-1.elb.amazonaws.com

==========================================
  Iteration 1: httpbin.org (no auth)
==========================================

Resources:

nerdalert

Baseline Benchmark Results - Feb 24

Run metadata

• Executed at: 2026-02-24 06:42:10 UTC
• Repo: ~/vanilla/subscription-maas-413/maas-benchmark-vanilla/maas-benchmark
• Target host: maas.apps.rosa.vnthh-zgsnt-wuf.rrcb.p3.openshiftapps.com
• Protocol: https
• Model ID detected from MAAS API: facebook/opt-125m
• Model path detected from MAAS API: /llm/facebook-opt-125m-simulated
• k6 version: k6 v1.5.0 (commit/7961cefa12, go1.25.5, linux/amd64)

nerdalert

MAAS Benchmark - subscription PR

Run metadata

• Executed at: 2026-02-24 05:13:54 UTC
• Repo: ~/vanilla/subscription-maas-413/maas-benchmark-vanilla/maas-benchmark
• Target host: maas.apps.rosa.uu2gf-j2mrj-mmg.iqgw.p3.openshiftapps.com
• Protocol: https
• Model ID detected from MAAS API: facebook/opt-125m
• Model URL detected from MAAS API: http://maas.apps.rosa.uu2gf-j2mrj-mmg.iqgw.p3.openshiftapps.com/llm/facebook-opt-125m-simulated
• k6 version: k6 v1.5.0 (commit/7961cefa12, go1.25.5, linux/amd64)

nerdalert

MaaS Baseline Benchmark Feb 20, 2026

Run metadata

• Executed at: 2026-02-21 04:14:07 UTC
• Repo: ~/perf-k6/maas-benchmark
• Target host: maas.apps.rosa.j7mgr-s39et-cf9.yd65.p3.openshiftapps.com
• Protocol: https
• Model ID detected from MAAS API: facebook/opt-125m
• k6 version: k6 v1.5.0

nerdalert

Msg @clusterbot in Slack run:
rosa create 4.20.6

models-as-a-service$ ./scripts/deploy.sh --operator-type odh
[INFO] ===================================================
[INFO]   Models-as-a-Service Deployment
[INFO] ===================================================