--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.17.3 operatorframework.io/installed-alongside-ca74cd5638df5421: opendatahub/opendatahub-operator.v3.5.0-ea.1 creationTimestamp: "2026-06-09T03:07:59Z" generation: 1 labels: olm.managed: "true" operators.coreos.com/opendatahub-operator.opendatahub: "" managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:controller-gen.kubebuilder.io/version: {} f:operatorframework.io/installed-alongside-ca74cd5638df5421: {} f:labels: .: {} f:olm.managed: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:scope: {} f:versions: {} manager: catalog operation: Update time: "2026-06-09T03:07:59Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-06-09T03:07:59Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:operators.coreos.com/opendatahub-operator.opendatahub: {} manager: olm operation: Update time: "2026-06-09T03:07:59Z" name: modelsasservices.components.platform.opendatahub.io resourceVersion: "14293" uid: 56ed0fa3-28f9-470f-a405-d7d4610d8486 spec: conversion: strategy: None group: components.platform.opendatahub.io names: kind: ModelsAsService listKind: ModelsAsServiceList plural: modelsasservices singular: modelsasservice scope: Cluster versions: - additionalPrinterColumns: - description: Ready jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - description: Reason jsonPath: .status.conditions[?(@.type=="Ready")].reason name: Reason type: string name: v1alpha1 schema: openAPIV3Schema: description: ModelsAsService is the Schema for the modelsasservice API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ModelsAsServiceSpec defines the desired state of ModelsAsService properties: apiKeys: description: APIKeys contains configuration for API key management. properties: maxExpirationDays: description: |- MaxExpirationDays is the maximum allowed expiration in days for API keys. When set, users cannot create API keys with expiration longer than this value. Examples: 30 (one month), 90 (three months), 365 (one year). If not set, no expiration limit is enforced. format: int32 minimum: 1 type: integer type: object externalOIDC: description: |- ExternalOIDC configures an external OIDC identity provider (e.g. Keycloak, Azure AD) for the maas-api AuthPolicy. When set, the operator patches the AuthPolicy to accept JWTs from the specified issuer alongside OpenShift TokenReview and API key authentication. properties: clientId: description: |- ClientID is the OAuth2 client ID. Incoming OIDC tokens must have an azp (authorized party) claim matching this value. maxLength: 256 minLength: 1 pattern: ^\S+$ type: string issuerUrl: description: |- IssuerURL is the OIDC issuer URL (e.g. https://keycloak.example.com/realms/maas). Must serve a .well-known/openid-configuration endpoint over HTTPS. maxLength: 2048 minLength: 9 pattern: ^https://\S+$ type: string ttl: default: 300 description: TTL is the JWKS cache duration in seconds. minimum: 30 type: integer required: - clientId - issuerUrl type: object gatewayRef: description: |- GatewayRef specifies which Gateway (Gateway API) to use for exposing model endpoints. If omitted, defaults to openshift-ingress/maas-default-gateway. properties: name: default: maas-default-gateway description: Name is the name of the Gateway resource. maxLength: 63 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string namespace: default: openshift-ingress description: Namespace is the namespace where the Gateway resource is located. maxLength: 63 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object telemetry: description: |- Telemetry contains configuration for telemetry and metrics collection. When enabled, deploys TelemetryPolicy for usage metrics and Istio Telemetry for per-subscription latency tracking. properties: enabled: default: true description: |- Enabled controls whether telemetry resources are deployed. When true, creates TelemetryPolicy for usage metrics and Istio Telemetry for per-subscription latency tracking. Default is true (telemetry enabled). type: boolean metrics: description: Metrics contains configuration for optional metric dimensions/labels. properties: captureGroup: default: false description: |- CaptureGroup enables the group label on metrics for team-based chargeback. Note: This is a high-cardinality dimension and is disabled by default. type: boolean captureModelUsage: default: true description: CaptureModelUsage enables the model label on metrics. type: boolean captureOrganization: default: true description: CaptureOrganization enables the organization_id label on metrics. type: boolean captureUser: default: false description: |- CaptureUser enables the user label on metrics. Disabled by default for privacy/GDPR compliance. type: boolean type: object type: object type: object status: description: ModelsAsServiceStatus defines the observed state of ModelsAsService properties: conditions: items: properties: lastHeartbeatTime: description: |- The last time we got an update on a given condition, this should not be set and is present only for backward compatibility reasons format: date-time type: string lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: message is a human-readable message indicating details about the transition. type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. The value should be a CamelCase string. type: string severity: description: |- Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - status - type type: object type: array x-kubernetes-list-type: atomic observedGeneration: description: The generation observed by the resource controller. format: int64 type: integer phase: type: string type: object type: object x-kubernetes-validations: - message: ModelsAsService name must be default-modelsasservice rule: self.metadata.name == 'default-modelsasservice' served: true storage: true subresources: status: {} status: acceptedNames: kind: ModelsAsService listKind: ModelsAsServiceList plural: modelsasservices singular: modelsasservice conditions: - lastTransitionTime: "2026-06-09T03:07:59Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-06-09T03:07:59Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1alpha1