Native Models as a Service in OpenShift AI

⏱ ~15 min

This module covers Native MaaS in Red Hat OpenShift AI (RHOAI) 3.4: Connectivity Link, the MaaS gateway, Gen AI Studio API keys, and the maas-workshop-users group that includes your workshop user (guest (register first)).

This is the recommended path for new LLM integrations. Module 05 — AI Gateway API key shows the legacy Kuadrant AI Gateway path (https://ai-gateway.apps.cluster.example.com/v1). Both paths can run in parallel during migration; this lab focuses on the native dashboard experience.

What you will do

Module 09 activity overview — OpenShift AI native MaaS

As guest (register first) you will:

  1. Open the OpenShift AI dashboard and confirm Gen AI Studio / Models as a Service navigation

  2. Verify GitOps-managed MaaS CRs (Tenant, Subscription, AuthPolicy) and group membership

  3. Create an API key in the dashboard (not Developer Hub Kuadrant)

  4. Call https://maas.apps.cluster.example.com/v1/chat/completions with a Bearer token

Product stack: OpenShift AI 3.4 + Red Hat Connectivity Link gateway class data-science-gateway-class + upstream RHDP MaaS models.

Architecture overview

Layer Component

Dashboard

Gen AI Studio, API key management, Auth Policies (enabled in OdhDashboardConfig)

Control plane

MaaS Tenant, Subscription, AuthPolicy CRs in models-as-a-service

Gateway

maas-default-gateway (Gateway API class data-science-gateway-class)

Upstream

External RHDP endpoint maas-rhdp.apps.maas.redhatworkshops.io

Step 1 — Open the OpenShift AI dashboard

  1. Log in to the hub console or open the dashboard directly:

https://rhods-dashboard-redhat-ods-applications.apps.cluster.example.com
  1. Use guest (register first) / Welcome123!.

  2. Confirm the left navigation shows Models as a Service and Gen AI Studio entries (patched by the models-as-a-service chart).

If those menu items are missing, an instructor can verify OdhDashboardConfig in namespace redhat-ods-applications has modelAsService: true and genAiStudio: true.

Step 2 — Confirm your workshop group membership

Workshop users user1 through user30 belong to OpenShift group maas-workshop-users, which grants access to the MaaS subscription and auth policy.

hub-login guest (register first)
oc get group maas-workshop-users -o jsonpath='{.users[*]}{"\n"}' | tr ' ' '\n' | grep -E '^user[0-9]+$' | head -5
oc auth can-i create apikeys.maas.opendatahub.io --as=guest (register first) -n models-as-a-service 2>/dev/null || echo "(API key RBAC may be dashboard-only)"
Expected output (truncated)
user1
user2
user3
...

Step 3 — Inspect MaaS GitOps resources

maas-native-status

Or run the commands individually:

hub-login guest (register first)
oc get tenant,externalmodel,maassubscription,maasauthpolicy -n models-as-a-service
oc get tenant default-tenant -n models-as-a-service \
  -o jsonpath='Tenant Ready: {.status.conditions[?(@.type=="Ready")].status}{"\n"}'
oc get gateway maas-default-gateway -n openshift-ingress \
  -o jsonpath='Gateway hostname: {.spec.listeners[0].hostname}{"\n"}'
Expected output
NAME              READY
default-tenant    True

Tenant Ready: True
Gateway hostname: maas.apps.cluster.example.com
# charts/all/models-as-a-service/templates/maas-crs.yaml (excerpt)
apiVersion: maas.opendatahub.io/v1alpha1
kind: Tenant
metadata:
  name: default-tenant
  namespace: models-as-a-service
---
apiVersion: maas.opendatahub.io/v1alpha1
kind: MaaSSubscription
metadata:
  name: maas-workshop-subscription
spec:
  owner:
    groups:
      - kind: Group
        name: maas-workshop-users

Step 4 — Browse models in Gen AI Studio

  1. In the OpenShift AI dashboard, open Gen AI Studio (or Models as a ServiceModels).

  2. Locate workshop models such as:

    • Llama Scout 17B (workshop default)

    • Granite 3.2 8B Instruct (Lightspeed default)

    • DeepSeek R1 Distill Qwen 14B

    • CodeLlama 7B Instruct

These map to ExternalModel CRs that proxy the upstream RHDP endpoint.

Step 5 — Create an API key in the dashboard

  1. Navigate to Gen AI StudioAPI keys (or Models as a ServiceAPI keys).

  2. Click Create API key, give it a name (for example workshop-guest (register first)), and copy the key.

Store the key immediately — you cannot retrieve the full secret again after closing the dialog. Do not share the key; it grants access to your MaaS subscription quota.

Step 6 — Test inference on the native MaaS gateway

Replace <your-maas-api-key> with the key from Step 5.

export MAAS_API_KEY="<your-maas-api-key>"
curl -sk -H "Authorization: Bearer ${MAAS_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"model":"llama-scout-17b","messages":[{"role":"user","content":"Summarize PPE detection in one sentence"}]}' \
  "https://maas.apps.cluster.example.com/v1/chat/completions" | head -c 500
echo
Expected output (truncated)
{
  "id": "chatcmpl-xxx",
  "object": "chat.completion",
  "choices": [{
    "message": {
      "role": "assistant",
      "content": "PPE detection uses computer vision..."
    }
  }]
}

Step 7 — List models on the native gateway

curl -sk -H "Authorization: Bearer ${MAAS_API_KEY}" \
  "https://maas.apps.cluster.example.com/v1/models" | python3 -m json.tool 2>/dev/null | head -25

Compare with the AI Gateway path

Path URL Auth

Native MaaS (this module, recommended)

maas.apps.cluster.example.com/v1

Bearer token from Gen AI Studio

AI Gateway (Kuadrant, legacy) (Module 05)

ai-gateway.apps.cluster.example.com/v1

Kuadrant APIKEY from Developer Hub

What you learned

  • RHOAI 3.4 native MaaS exposes Gen AI Studio and API key management in the dashboard

  • Workshop users in maas-workshop-users subscribe to shared models via MaaSSubscription

  • Traffic enters through Gateway maas-default-gateway on hostname maas.apps.cluster.example.com

  • The legacy Kuadrant AI Gateway path remains available until operators disable apis.maas.enabled