--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 operatorframework.io/installed-alongside-4bd893de2d7a381: kuadrant-system/rhcl-operator.v1.3.1 creationTimestamp: "2026-03-18T16:54:24Z" generation: 1 labels: app: kuadrant olm.managed: "true" operators.coreos.com/rhcl-operator.kuadrant-system: "" managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:controller-gen.kubebuilder.io/version: {} f:operatorframework.io/installed-alongside-4bd893de2d7a381: {} f:labels: .: {} f:app: {} f:olm.managed: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:scope: {} f:versions: {} manager: catalog operation: Update time: "2026-03-18T16:54:24Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-03-18T16:54:24Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:operators.coreos.com/rhcl-operator.kuadrant-system: {} manager: olm operation: Update time: "2026-03-18T16:54:59Z" name: oidcpolicies.extensions.kuadrant.io resourceVersion: "16772" uid: c0fb70fc-0e9b-4a76-8ddf-3e11f56e2345 spec: conversion: strategy: None group: extensions.kuadrant.io names: kind: OIDCPolicy listKind: OIDCPolicyList plural: oidcpolicies singular: oidcpolicy scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: OIDCPolicy is the Schema for the oidcpolicies API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: OIDCPolicySpec defines the desired state of OIDCPolicy properties: auth: description: Auth holds the information regarding AuthN/AuthZ properties: claims: additionalProperties: type: string description: Claims contains the JWT Claims https://www.rfc-editor.org/rfc/rfc7519.html#section-4 type: object tokenSource: description: |- TokenSource informs where the JWT token will be found in the request for authentication If omitted, it defaults to credentials passed in cookies. properties: authorizationHeader: properties: prefix: type: string type: object cookie: properties: name: type: string required: - name type: object customHeader: properties: name: type: string required: - name type: object queryString: properties: name: type: string required: - name type: object type: object type: object provider: description: Provider holds the information for the OIDC provider properties: authorizationEndpoint: description: |- The full URL of the Authorization endpoints AuthorizationEndpoint performs Authentication of the End-User. Default value is the IssuerURL + "/oauth/authorize" type: string clientID: description: OAuth2 Client ID. type: string issuerURL: description: |- URL of the OpenID Connect (OIDC) token issuer endpoint. Use it for automatically discovering the JWKS URL from an OpenID Connect Discovery endpoint (https://openid.net/specs/openid-connect-discovery-1_0.html). The Well-Known Discovery path (i.e. "/.well-known/openid-configuration") is appended to this URL to fetch the OIDC configuration. One of: jwksUrl, issuerUrl type: string jwksURL: description: |- URL of the JSON Web Key Set (JWKS) endpoint. Use it for non-OpenID Connect (OIDC) JWT authentication, where the JWKS URL is known beforehand. One of: jwksUrl, issuerUrl type: string redirectURI: description: The RedirectURI defines the URL that is part of the authentication request to the AuthorizationEndpoint and the one defined in the IDP. Default value is the IssuerURL + "/auth/callback" type: string tokenEndpoint: description: TokenEndpoint defines the URL to obtain an Access Token, an ID Token, and optionally a Refresh Token. Default value is the IssuerURL + "/oauth/token" type: string required: - clientID type: object x-kubernetes-validations: - message: 'Use one of: jwksURL, issuerURL' rule: '!(has(self.jwksURL) && self.jwksURL != '''' && has(self.issuerURL) && self.issuerURL != '''')' - message: When jwksURL is set, authorizationEndpoint and tokenEndpoint must also be provided rule: '!(has(self.jwksURL) && self.jwksURL != '''') || (has(self.authorizationEndpoint) && self.authorizationEndpoint != '''' && has(self.tokenEndpoint) && self.tokenEndpoint != '''')' targetRef: description: Reference to the object to which this policy applies. properties: group: description: Group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: Kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: Name is the name of the target resource. maxLength: 253 minLength: 1 type: string sectionName: description: |- SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - group - kind - name type: object x-kubernetes-validations: - message: Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io' rule: self.group == 'gateway.networking.k8s.io' - message: Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway' rule: self.kind == 'HTTPRoute' || self.kind == 'Gateway' required: - provider - targetRef type: object status: description: OIDCPolicyStatus defines the observed state of OIDCPolicy properties: conditions: description: |- Represents the observations of a OIDCPolicy's current state. Known .status.conditions.type are: "Ready" items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map observedGeneration: description: ObservedGeneration reflects the generation of the most recently observed spec. format: int64 type: integer type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: OIDCPolicy listKind: OIDCPolicyList plural: oidcpolicies singular: oidcpolicy conditions: - lastTransitionTime: "2026-03-18T16:54:24Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-03-18T16:54:24Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1alpha1