--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.4 kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"controller-gen.kubebuilder.io/version":"v0.16.4"},"name":"tenants.maas.opendatahub.io"},"spec":{"group":"maas.opendatahub.io","names":{"kind":"Tenant","listKind":"TenantList","plural":"tenants","singular":"tenant"},"scope":"Namespaced","versions":[{"additionalPrinterColumns":[{"description":"Ready","jsonPath":".status.conditions[?(@.type==\"Ready\")].status","name":"Ready","type":"string"},{"description":"Reason","jsonPath":".status.conditions[?(@.type==\"Ready\")].reason","name":"Reason","type":"string"},{"jsonPath":".metadata.creationTimestamp","name":"Age","type":"date"}],"name":"v1alpha1","schema":{"openAPIV3Schema":{"description":"Tenant is the namespace-scoped API for the MaaS platform tenant.\nThe CEL validation above enforces a singleton (name == \"default-tenant\") during v1alpha1.\nTo enable multi-tenancy later, remove the XValidation rule — no CRD migration required\nbecause removing a validation is a non-breaking schema change.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"TenantSpec defines the desired state of Tenant.","properties":{"apiKeys":{"description":"APIKeys contains configuration for API key management.","properties":{"maxExpirationDays":{"format":"int32","minimum":1,"type":"integer"}},"type":"object"},"externalOIDC":{"description":"ExternalOIDC configures an external OIDC identity provider for the maas-api AuthPolicy.","properties":{"clientId":{"description":"ClientID is the OAuth2 client ID.","maxLength":256,"minLength":1,"pattern":"^\\S+$","type":"string"},"issuerUrl":{"description":"IssuerURL is the OIDC issuer URL (e.g. https://keycloak.example.com/realms/maas).","maxLength":2048,"minLength":9,"pattern":"^https://\\S+$","type":"string"},"ttl":{"default":300,"description":"TTL is the JWKS cache duration in seconds.","minimum":30,"type":"integer"}},"required":["clientId","issuerUrl"],"type":"object"},"gatewayRef":{"description":"GatewayRef specifies which Gateway (Gateway API) to use for exposing model endpoints.\nIf omitted, defaults to openshift-ingress/maas-default-gateway.","properties":{"name":{"default":"maas-default-gateway","maxLength":63,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$","type":"string"},"namespace":{"default":"openshift-ingress","maxLength":63,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$","type":"string"}},"type":"object"},"telemetry":{"description":"Telemetry contains configuration for telemetry and metrics collection.","properties":{"enabled":{"default":true,"type":"boolean"},"metrics":{"description":"TenantMetricsConfig defines optional metric dimensions.","properties":{"captureGroup":{"default":false,"type":"boolean"},"captureModelUsage":{"default":true,"type":"boolean"},"captureOrganization":{"default":true,"type":"boolean"},"captureUser":{"default":false,"description":"CaptureUser adds a \"user\" dimension to telemetry metrics containing\nthe authenticated user ID. Defaults to false. Enabling this may\nhave GDPR / privacy implications — ensure compliance before use.","type":"boolean"}},"type":"object"}},"type":"object"}},"type":"object"},"status":{"description":"TenantStatus defines the observed state of Tenant.","properties":{"conditions":{"description":"Conditions represent the latest available observations.\nTypes mirror ODH modelsasservice / internal controller status for DSC aggregation: Ready,\nDependenciesAvailable, MaaSPrerequisitesAvailable, DeploymentsAvailable, Degraded.","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","format":"date-time","type":"string"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","maxLength":32768,"type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","format":"int64","minimum":0,"type":"integer"},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown.","enum":["True","False","Unknown"],"type":"string"},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$","type":"string"}},"required":["lastTransitionTime","message","reason","status","type"],"type":"object"},"type":"array"},"phase":{"description":"Phase is a high-level lifecycle phase for the platform reconcile.","enum":["Pending","Active","Degraded","Failed"],"type":"string"}},"type":"object"}},"type":"object","x-kubernetes-validations":[{"message":"Tenant name must be default-tenant","rule":"self.metadata.name == 'default-tenant'"}]}},"served":true,"storage":true,"subresources":{"status":{}}}]}} creationTimestamp: "2026-04-20T15:03:05Z" generation: 1 managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-04-20T15:03:05Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:controller-gen.kubebuilder.io/version: {} f:kubectl.kubernetes.io/last-applied-configuration: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:scope: {} f:versions: {} manager: kubectl-client-side-apply operation: Update time: "2026-04-20T15:03:05Z" name: tenants.maas.opendatahub.io resourceVersion: "21090" uid: 0ab194da-c919-48d5-9484-42e2daa8ee67 spec: conversion: strategy: None group: maas.opendatahub.io names: kind: Tenant listKind: TenantList plural: tenants singular: tenant scope: Namespaced versions: - additionalPrinterColumns: - description: Ready jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - description: Reason jsonPath: .status.conditions[?(@.type=="Ready")].reason name: Reason type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: |- Tenant is the namespace-scoped API for the MaaS platform tenant. The CEL validation above enforces a singleton (name == "default-tenant") during v1alpha1. To enable multi-tenancy later, remove the XValidation rule — no CRD migration required because removing a validation is a non-breaking schema change. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: TenantSpec defines the desired state of Tenant. properties: apiKeys: description: APIKeys contains configuration for API key management. properties: maxExpirationDays: format: int32 minimum: 1 type: integer type: object externalOIDC: description: ExternalOIDC configures an external OIDC identity provider for the maas-api AuthPolicy. properties: clientId: description: ClientID is the OAuth2 client ID. maxLength: 256 minLength: 1 pattern: ^\S+$ type: string issuerUrl: description: IssuerURL is the OIDC issuer URL (e.g. https://keycloak.example.com/realms/maas). maxLength: 2048 minLength: 9 pattern: ^https://\S+$ type: string ttl: default: 300 description: TTL is the JWKS cache duration in seconds. minimum: 30 type: integer required: - clientId - issuerUrl type: object gatewayRef: description: |- GatewayRef specifies which Gateway (Gateway API) to use for exposing model endpoints. If omitted, defaults to openshift-ingress/maas-default-gateway. properties: name: default: maas-default-gateway maxLength: 63 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string namespace: default: openshift-ingress maxLength: 63 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object telemetry: description: Telemetry contains configuration for telemetry and metrics collection. properties: enabled: default: true type: boolean metrics: description: TenantMetricsConfig defines optional metric dimensions. properties: captureGroup: default: false type: boolean captureModelUsage: default: true type: boolean captureOrganization: default: true type: boolean captureUser: default: false description: |- CaptureUser adds a "user" dimension to telemetry metrics containing the authenticated user ID. Defaults to false. Enabling this may have GDPR / privacy implications — ensure compliance before use. type: boolean type: object type: object type: object status: description: TenantStatus defines the observed state of Tenant. properties: conditions: description: |- Conditions represent the latest available observations. Types mirror ODH modelsasservice / internal controller status for DSC aggregation: Ready, DependenciesAvailable, MaaSPrerequisitesAvailable, DeploymentsAvailable, Degraded. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array phase: description: Phase is a high-level lifecycle phase for the platform reconcile. enum: - Pending - Active - Degraded - Failed type: string type: object type: object x-kubernetes-validations: - message: Tenant name must be default-tenant rule: self.metadata.name == 'default-tenant' served: true storage: true subresources: status: {} status: acceptedNames: kind: Tenant listKind: TenantList plural: tenants singular: tenant conditions: - lastTransitionTime: "2026-04-20T15:03:05Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-04-20T15:03:05Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1alpha1