v1beta1

type ClientAuthSpec struct {
	// ID is the client ID for service account authentication
	// +kubebuilder:validation:Required
	ID string `json:"id"`

	// Secret is the client secret (optional for public clients)
	// +optional
	Secret *string `json:"secret,omitempty"`
}

type ClientDefinition struct {
	// ClientId is the unique client identifier
	// +kubebuilder:validation:Required
	ClientId string `json:"clientId"`

	// Name is the display name of the client
	// +optional
	Name string `json:"name,omitempty"`

	// Description of the client
	// +optional
	Description string `json:"description,omitempty"`

	// Enabled indicates whether the client is enabled
	// +optional
	Enabled *bool `json:"enabled,omitempty"`

	// Protocol is the client protocol (openid-connect or saml)
	// +optional
	// +kubebuilder:validation:Enum=openid-connect;saml
	Protocol string `json:"protocol,omitempty"`

	// PublicClient indicates if this is a public client
	// +optional
	PublicClient *bool `json:"publicClient,omitempty"`

	// StandardFlowEnabled enables Authorization Code Flow
	// +optional
	StandardFlowEnabled *bool `json:"standardFlowEnabled,omitempty"`

	// ImplicitFlowEnabled enables Implicit Flow
	// +optional
	ImplicitFlowEnabled *bool `json:"implicitFlowEnabled,omitempty"`

	// DirectAccessGrantsEnabled enables Direct Access Grants
	// +optional
	DirectAccessGrantsEnabled *bool `json:"directAccessGrantsEnabled,omitempty"`

	// ServiceAccountsEnabled enables service account
	// +optional
	ServiceAccountsEnabled *bool `json:"serviceAccountsEnabled,omitempty"`

	// BearerOnly indicates bearer-only client
	// +optional
	BearerOnly *bool `json:"bearerOnly,omitempty"`

	// ConsentRequired requires user consent
	// +optional
	ConsentRequired *bool `json:"consentRequired,omitempty"`

	// RootUrl is the root URL of the application
	// +optional
	RootUrl string `json:"rootUrl,omitempty"`

	// BaseUrl is the default URL for the client
	// +optional
	BaseUrl string `json:"baseUrl,omitempty"`

	// AdminUrl is the URL to the admin interface
	// +optional
	AdminUrl string `json:"adminUrl,omitempty"`

	// RedirectUris is a list of valid redirect URIs
	// +optional
	RedirectUris []string `json:"redirectUris,omitempty"`

	// WebOrigins is a list of allowed CORS origins
	// +optional
	WebOrigins []string `json:"webOrigins,omitempty"`

	// Secret is the client secret (for confidential clients)
	// +optional
	Secret string `json:"secret,omitempty"`

	// DefaultClientScopes assigned by default
	// +optional
	DefaultClientScopes []string `json:"defaultClientScopes,omitempty"`

	// OptionalClientScopes available optionally
	// +optional
	OptionalClientScopes []string `json:"optionalClientScopes,omitempty"`

	// Attributes for additional client configuration
	// +optional
	Attributes map[string]string `json:"attributes,omitempty"`

	// AuthorizationServicesEnabled enables fine-grained authorization
	// +optional
	AuthorizationServicesEnabled *bool `json:"authorizationServicesEnabled,omitempty"`

	// FullScopeAllowed allows full scope
	// +optional
	FullScopeAllowed *bool `json:"fullScopeAllowed,omitempty"`

	// FrontchannelLogout enables front-channel logout
	// +optional
	FrontchannelLogout *bool `json:"frontchannelLogout,omitempty"`

	// ClientAuthenticatorType specifies the authenticator type
	// +optional
	// +kubebuilder:validation:Enum=client-secret;client-jwt;client-secret-jwt;client-x509
	ClientAuthenticatorType string `json:"clientAuthenticatorType,omitempty"`
}

type ClientSecretRefSpec struct {
	// Name of the Kubernetes Secret
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// ClientIdKey is the key for the client ID in the secret.
	// Defaults to "client-id".
	// +optional
	ClientIdKey *string `json:"clientIdKey,omitempty"`

	// ClientSecretKey is the key for the client secret value in the secret.
	// Defaults to "client-secret".
	// +optional
	ClientSecretKey *string `json:"clientSecretKey,omitempty"`

	// Create determines behavior when the secret doesn't exist.
	// If true (default): auto-generate a secret and create the Secret.
	// If false: error if the secret doesn't exist (strict mode for GitOps).
	// +optional
	// +kubebuilder:default=true
	Create *bool `json:"create,omitempty"`
}

type ClusterCredentialsSpec struct {
	// SecretRef contains the reference to the secret with credentials
	// +kubebuilder:validation:Required
	SecretRef ClusterSecretRefSpec `json:"secretRef"`
}

type ClusterKeycloakInstance struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ClusterKeycloakInstanceSpec   `json:"spec,omitempty"`
	Status ClusterKeycloakInstanceStatus `json:"status,omitempty"`
}

type ClusterKeycloakInstanceList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterKeycloakInstance `json:"items"`
}

type ClusterKeycloakInstanceSpec struct {
	// BaseUrl is the URL of the Keycloak server (e.g., http://keycloak:8080)
	// +kubebuilder:validation:Required
	BaseUrl string `json:"baseUrl"`

	// Credentials contains the reference to the admin credentials secret
	// +kubebuilder:validation:Required
	Credentials ClusterCredentialsSpec `json:"credentials"`

	// Realm is the admin realm (defaults to "master")
	// +optional
	Realm *string `json:"realm,omitempty"`

	// Client contains optional service account client configuration
	// +optional
	Client *ClientAuthSpec `json:"client,omitempty"`

	// Token contains optional token caching configuration
	// +optional
	Token *TokenSpec `json:"token,omitempty"`
}

type ClusterKeycloakInstanceStatus struct {
	// Ready indicates if the Keycloak instance is accessible
	Ready bool `json:"ready"`

	// Version is the Keycloak server version
	// +optional
	Version string `json:"version,omitempty"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information about the status
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the API path for this resource
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type ClusterKeycloakRealm struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ClusterKeycloakRealmSpec   `json:"spec,omitempty"`
	Status ClusterKeycloakRealmStatus `json:"status,omitempty"`
}

type ClusterKeycloakRealmList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterKeycloakRealm `json:"items"`
}

type ClusterKeycloakRealmSpec struct {
	// InstanceRef is a reference to a namespaced KeycloakInstance
	// One of instanceRef or clusterInstanceRef must be specified
	// +optional
	InstanceRef *NamespacedRef `json:"instanceRef,omitempty"`

	// ClusterInstanceRef is a reference to a ClusterKeycloakInstance
	// One of instanceRef or clusterInstanceRef must be specified
	// +optional
	ClusterInstanceRef *ClusterResourceRef `json:"clusterInstanceRef,omitempty"`

	// RealmName is the name of the realm in Keycloak (defaults to metadata.name)
	// +optional
	RealmName *string `json:"realmName,omitempty"`

	// SmtpSecretRef is a reference to a Kubernetes Secret containing SMTP credentials.
	// When set, the secret values are injected into definition.smtpServer.user and
	// definition.smtpServer.password before syncing to Keycloak.
	// +optional
	SmtpSecretRef *ClusterSmtpSecretRefSpec `json:"smtpSecretRef,omitempty"`

	// Definition contains the Keycloak RealmRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type ClusterKeycloakRealmStatus struct {
	// Ready indicates if the realm is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this realm
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// RealmName is the actual realm name in Keycloak
	// +optional
	RealmName string `json:"realmName,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type ClusterResourceRef struct {
	// Name of the cluster-scoped resource
	// +kubebuilder:validation:Required
	Name string `json:"name"`
}

type ClusterSecretRefSpec struct {
	// Name is the name of the secret
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Namespace is the namespace of the secret (required for cluster-scoped resources)
	// +kubebuilder:validation:Required
	Namespace string `json:"namespace"`

	// UsernameKey is the key in the secret for the username (defaults to "username")
	// +kubebuilder:default="username"
	// +optional
	UsernameKey string `json:"usernameKey,omitempty"`

	// PasswordKey is the key in the secret for the password (defaults to "password")
	// +kubebuilder:default="password"
	// +optional
	PasswordKey string `json:"passwordKey,omitempty"`
}

type ClusterSmtpSecretRefSpec struct {
	// Name of the Kubernetes Secret
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Namespace of the Kubernetes Secret (required for cluster-scoped resources)
	// +kubebuilder:validation:Required
	Namespace string `json:"namespace"`

	// UserKey is the key in the secret for the SMTP username (defaults to "user")
	// +kubebuilder:default="user"
	// +optional
	UserKey string `json:"userKey,omitempty"`

	// PasswordKey is the key in the secret for the SMTP password (defaults to "password")
	// +kubebuilder:default="password"
	// +optional
	PasswordKey string `json:"passwordKey,omitempty"`
}

type ComponentDefinition struct {
	// Name is the component name (required)
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// ProviderID is the provider ID (required)
	// +kubebuilder:validation:Required
	ProviderID string `json:"providerId"`

	// ProviderType is the provider type (required)
	// Examples: org.keycloak.storage.UserStorageProvider, org.keycloak.keys.KeyProvider
	// +kubebuilder:validation:Required
	ProviderType string `json:"providerType"`

	// ParentID is the parent component ID (usually the realm ID)
	// +optional
	ParentId string `json:"parentId,omitempty"`

	// SubType is an optional subtype
	// +optional
	SubType string `json:"subType,omitempty"`

	// Config contains component configuration
	// +optional
	Config map[string][]string `json:"config,omitempty"`
}

type CredentialRepresentation struct {
	// Type of credential (e.g., "password")
	// +kubebuilder:validation:Required
	Type string `json:"type"`

	// Value of the credential
	// +optional
	Value string `json:"value,omitempty"`

	// Temporary indicates if the credential is temporary
	// +optional
	Temporary *bool `json:"temporary,omitempty"`
}

type CredentialSecretSpec struct {
	// SecretName is the name of the Kubernetes secret
	// +kubebuilder:validation:Required
	SecretName string `json:"secretName"`

	// Create indicates whether to create the secret if it doesn't exist
	// +optional
	Create bool `json:"create,omitempty"`

	// UsernameKey is the key for the username in the secret
	// +kubebuilder:default="username"
	// +optional
	UsernameKey string `json:"usernameKey,omitempty"`

	// PasswordKey is the key for the password in the secret
	// +kubebuilder:default="password"
	// +optional
	PasswordKey string `json:"passwordKey,omitempty"`

	// EmailKey is the key for the email in the secret
	// +optional
	EmailKey string `json:"emailKey,omitempty"`

	// PasswordPolicy configures password generation
	// +optional
	PasswordPolicy *PasswordPolicySpec `json:"passwordPolicy,omitempty"`
}

type CredentialsSpec struct {
	// SecretRef contains the reference to the secret with credentials
	// +kubebuilder:validation:Required
	SecretRef SecretRefSpec `json:"secretRef"`
}

type IDPConfigSecretRef struct {
	// Name of the Kubernetes Secret
	// +kubebuilder:validation:Required
	Name string `json:"name"`
}

type InitialPassword struct {
	// Value is the password value
	Value string `json:"value"`

	// Temporary indicates if the user must change password on first login
	// +optional
	Temporary bool `json:"temporary,omitempty"`
}

type InstanceRef struct {
	// InstanceRef is the name of the namespaced instance
	// +optional
	InstanceRef string `json:"instanceRef,omitempty"`

	// ClusterInstanceRef is the name of the cluster instance
	// +optional
	ClusterInstanceRef string `json:"clusterInstanceRef,omitempty"`
}

type KeycloakClient struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakClientSpec   `json:"spec,omitempty"`
	Status KeycloakClientStatus `json:"status,omitempty"`
}

type KeycloakClientList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClient `json:"items"`
}

type KeycloakClientScope struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakClientScopeSpec   `json:"spec,omitempty"`
	Status KeycloakClientScopeStatus `json:"status,omitempty"`
}

type KeycloakClientScopeList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClientScope `json:"items"`
}

type KeycloakClientScopeSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// Definition contains the Keycloak ClientScopeRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakClientScopeStatus struct {
	// Ready indicates if the client scope is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this client scope
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakClientSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// ClientId is the client ID in Keycloak (defaults to metadata.name)
	// +optional
	ClientId *string `json:"clientId,omitempty"`

	// Definition contains the Keycloak ClientRepresentation
	// +kubebuilder:pruning:PreserveUnknownFields
	// +optional
	Definition *runtime.RawExtension `json:"definition,omitempty"`

	// ClientSecretRef configures the Kubernetes Secret for client credentials.
	// If the secret exists, its value is used. If it doesn't exist and Create is true,
	// the operator auto-generates a secret and creates it.
	// +optional
	ClientSecretRef *ClientSecretRefSpec `json:"clientSecretRef,omitempty"`
}

type KeycloakClientStatus struct {
	// Ready indicates if the client is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this client
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// ClientUUID is the Keycloak internal ID
	// +optional
	ClientUUID string `json:"clientUUID,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakComponent struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakComponentSpec   `json:"spec,omitempty"`
	Status KeycloakComponentStatus `json:"status,omitempty"`
}

type KeycloakComponentList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakComponent `json:"items"`
}

type KeycloakComponentSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// Definition contains the Keycloak ComponentRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakComponentStatus struct {
	// Ready indicates if the component is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this component
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// ComponentID is the Keycloak internal component ID
	// +optional
	ComponentID string `json:"componentID,omitempty"`

	// ComponentName is the component name in Keycloak
	// +optional
	ComponentName string `json:"componentName,omitempty"`

	// ProviderType is the component provider type
	// +optional
	ProviderType string `json:"providerType,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakGroup struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakGroupSpec   `json:"spec,omitempty"`
	Status KeycloakGroupStatus `json:"status,omitempty"`
}

type KeycloakGroupList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakGroup `json:"items"`
}

type KeycloakGroupSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// ParentGroupRef is a reference to a parent KeycloakGroup (for nested groups)
	// +optional
	ParentGroupRef *ResourceRef `json:"parentGroupRef,omitempty"`

	// Definition contains the Keycloak GroupRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakGroupStatus struct {
	// Ready indicates if the group is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this group
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// GroupID is the Keycloak internal group ID
	// +optional
	GroupID string `json:"groupID,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakIdentityProviderSpec   `json:"spec,omitempty"`
	Status KeycloakIdentityProviderStatus `json:"status,omitempty"`
}

type KeycloakIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakIdentityProvider `json:"items"`
}

type KeycloakIdentityProviderSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// ConfigSecretRef is a reference to a Kubernetes Secret whose data entries
	// are merged into definition.config before syncing to Keycloak. This allows
	// sensitive configuration values (e.g. clientId, clientSecret) to be stored
	// in a Secret rather than in plaintext in the CR. Secret values take
	// precedence over values specified inline in definition.config.
	// +optional
	ConfigSecretRef *IDPConfigSecretRef `json:"configSecretRef,omitempty"`

	// Definition contains the Keycloak IdentityProviderRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakIdentityProviderStatus struct {
	// Ready indicates if the identity provider is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this identity provider
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakInstance struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakInstanceSpec   `json:"spec,omitempty"`
	Status KeycloakInstanceStatus `json:"status,omitempty"`
}

type KeycloakInstanceList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakInstance `json:"items"`
}

type KeycloakInstanceSpec struct {
	// BaseUrl is the URL of the Keycloak server (e.g., http://keycloak:8080)
	// +kubebuilder:validation:Required
	BaseUrl string `json:"baseUrl"`

	// Credentials contains the reference to the admin credentials secret
	// +kubebuilder:validation:Required
	Credentials CredentialsSpec `json:"credentials"`

	// Realm is the admin realm (defaults to "master")
	// +optional
	Realm *string `json:"realm,omitempty"`

	// Client contains optional service account client configuration
	// +optional
	Client *ClientAuthSpec `json:"client,omitempty"`

	// Token contains optional token caching configuration
	// +optional
	Token *TokenSpec `json:"token,omitempty"`
}

type KeycloakInstanceStatus struct {
	// Ready indicates if the Keycloak instance is accessible
	Ready bool `json:"ready"`

	// Version is the Keycloak server version
	// +optional
	Version string `json:"version,omitempty"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information about the status
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the API path for this resource
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakOrganization struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakOrganizationSpec   `json:"spec,omitempty"`
	Status KeycloakOrganizationStatus `json:"status,omitempty"`
}

type KeycloakOrganizationList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakOrganization `json:"items"`
}

type KeycloakOrganizationSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// Definition contains the Keycloak OrganizationRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakOrganizationStatus struct {
	// Ready indicates if the organization is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this organization
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// OrganizationID is the Keycloak internal organization ID
	// +optional
	OrganizationID string `json:"organizationID,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakProtocolMapper struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakProtocolMapperSpec   `json:"spec,omitempty"`
	Status KeycloakProtocolMapperStatus `json:"status,omitempty"`
}

type KeycloakProtocolMapperList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakProtocolMapper `json:"items"`
}

type KeycloakProtocolMapperSpec struct {
	// ClientRef is a reference to a KeycloakClient
	// One of clientRef or clientScopeRef must be specified
	// +optional
	ClientRef *ResourceRef `json:"clientRef,omitempty"`

	// ClientScopeRef is a reference to a KeycloakClientScope
	// One of clientRef or clientScopeRef must be specified
	// +optional
	ClientScopeRef *ResourceRef `json:"clientScopeRef,omitempty"`

	// Definition contains the Keycloak ProtocolMapperRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakProtocolMapperStatus struct {
	// Ready indicates if the protocol mapper is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this protocol mapper
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// MapperID is the Keycloak internal mapper ID
	// +optional
	MapperID string `json:"mapperID,omitempty"`

	// MapperName is the mapper name in Keycloak
	// +optional
	MapperName string `json:"mapperName,omitempty"`

	// ParentType indicates if parent is "client" or "clientScope"
	// +optional
	ParentType string `json:"parentType,omitempty"`

	// ParentID is the parent client or clientScope ID
	// +optional
	ParentID string `json:"parentID,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakRealm struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakRealmSpec   `json:"spec,omitempty"`
	Status KeycloakRealmStatus `json:"status,omitempty"`
}

type KeycloakRealmList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakRealm `json:"items"`
}

type KeycloakRealmSpec struct {
	// InstanceRef is a reference to a KeycloakInstance
	// One of instanceRef or clusterInstanceRef must be specified
	// +optional
	InstanceRef *ResourceRef `json:"instanceRef,omitempty"`

	// ClusterInstanceRef is a reference to a ClusterKeycloakInstance
	// One of instanceRef or clusterInstanceRef must be specified
	// +optional
	ClusterInstanceRef *ClusterResourceRef `json:"clusterInstanceRef,omitempty"`

	// RealmName is the name of the realm in Keycloak (defaults to metadata.name)
	// +optional
	RealmName *string `json:"realmName,omitempty"`

	// SmtpSecretRef is a reference to a Kubernetes Secret containing SMTP credentials.
	// When set, the secret values are injected into definition.smtpServer.user and
	// definition.smtpServer.password before syncing to Keycloak, so credentials
	// do not need to appear in plaintext in the CR.
	// +optional
	SmtpSecretRef *SmtpSecretRefSpec `json:"smtpSecretRef,omitempty"`

	// Definition contains the Keycloak RealmRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakRealmStatus struct {
	// Ready indicates if the realm is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this realm
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakRequiredAction struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakRequiredActionSpec   `json:"spec,omitempty"`
	Status KeycloakRequiredActionStatus `json:"status,omitempty"`
}

type KeycloakRequiredActionList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakRequiredAction `json:"items"`
}

type KeycloakRequiredActionSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// Definition contains the Keycloak RequiredActionProviderRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakRequiredActionStatus struct {
	// Ready indicates if the required action is synchronized
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this required action
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// Alias is the required action alias in Keycloak
	// +optional
	Alias string `json:"alias,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakRole struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakRoleSpec   `json:"spec,omitempty"`
	Status KeycloakRoleStatus `json:"status,omitempty"`
}

type KeycloakRoleList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakRole `json:"items"`
}

type KeycloakRoleMapping struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakRoleMappingSpec   `json:"spec,omitempty"`
	Status KeycloakRoleMappingStatus `json:"status,omitempty"`
}

type KeycloakRoleMappingList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakRoleMapping `json:"items"`
}

type KeycloakRoleMappingSpec struct {
	// Subject defines who the role is assigned to (user or group)
	// +kubebuilder:validation:Required
	Subject RoleMappingSubject `json:"subject"`

	// Role defines the role to assign (inline definition)
	// Either Role or RoleRef must be specified
	// +optional
	Role *RoleDefinition `json:"role,omitempty"`

	// RoleRef references an existing KeycloakRole resource
	// Either Role or RoleRef must be specified
	// +optional
	RoleRef *ResourceRef `json:"roleRef,omitempty"`
}

type KeycloakRoleMappingStatus struct {
	// Ready indicates if the role mapping is applied
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this role mapping
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// SubjectType is either "user" or "group"
	// +optional
	SubjectType string `json:"subjectType,omitempty"`

	// SubjectID is the Keycloak ID of the subject
	// +optional
	SubjectID string `json:"subjectID,omitempty"`

	// RoleName is the resolved role name
	// +optional
	RoleName string `json:"roleName,omitempty"`

	// RoleType is either "realm" or "client"
	// +optional
	RoleType string `json:"roleType,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakRoleSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef or clusterRealmRef must be specified
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// ClientRef is a reference to a KeycloakClient for client-level roles
	// If not specified, the role is a realm-level role
	// +optional
	ClientRef *ResourceRef `json:"clientRef,omitempty"`

	// Definition contains the Keycloak RoleRepresentation
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Definition runtime.RawExtension `json:"definition"`
}

type KeycloakRoleStatus struct {
	// Ready indicates if the role is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this role
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// RoleID is the Keycloak internal role ID
	// +optional
	RoleID string `json:"roleID,omitempty"`

	// RoleName is the role name in Keycloak
	// +optional
	RoleName string `json:"roleName,omitempty"`

	// IsClientRole indicates if this is a client role
	// +optional
	IsClientRole bool `json:"isClientRole,omitempty"`

	// ClientID is the client ID if this is a client role
	// +optional
	ClientID string `json:"clientID,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakUser struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakUserSpec   `json:"spec,omitempty"`
	Status KeycloakUserStatus `json:"status,omitempty"`
}

type KeycloakUserCredential struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakUserCredentialSpec   `json:"spec,omitempty"`
	Status KeycloakUserCredentialStatus `json:"status,omitempty"`
}

type KeycloakUserCredentialList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakUserCredential `json:"items"`
}

type KeycloakUserCredentialSpec struct {
	// UserRef is a reference to a KeycloakUser
	// +kubebuilder:validation:Required
	UserRef ResourceRef `json:"userRef"`

	// UserSecret defines the secret containing the credentials
	// +kubebuilder:validation:Required
	UserSecret CredentialSecretSpec `json:"userSecret"`
}

type KeycloakUserCredentialStatus struct {
	// Ready indicates if the credentials are synchronized
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for the user
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// SecretCreated indicates if the secret was created by the operator
	// +optional
	SecretCreated bool `json:"secretCreated,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// PasswordHash is a hash of the last synchronized password (for change detection)
	// +optional
	PasswordHash string `json:"passwordHash,omitempty"`

	// SecretResourceVersion is the resource version of the secret when last synced
	// +optional
	SecretResourceVersion string `json:"secretResourceVersion,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type KeycloakUserList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakUser `json:"items"`
}

type KeycloakUserSpec struct {
	// RealmRef is a reference to a KeycloakRealm
	// One of realmRef, clusterRealmRef, or clientRef must be specified
	// Use this for regular realm users
	// +optional
	RealmRef *ResourceRef `json:"realmRef,omitempty"`

	// ClusterRealmRef is a reference to a ClusterKeycloakRealm
	// One of realmRef, clusterRealmRef, or clientRef must be specified
	// Use this for regular realm users with cluster-scoped realms
	// +optional
	ClusterRealmRef *ClusterResourceRef `json:"clusterRealmRef,omitempty"`

	// ClientRef is a reference to a KeycloakClient for service account users
	// One of realmRef, clusterRealmRef, or clientRef must be specified
	// Use this to manage the service account user associated with a client
	// +optional
	ClientRef *ResourceRef `json:"clientRef,omitempty"`

	// Definition contains the Keycloak UserRepresentation
	// +kubebuilder:pruning:PreserveUnknownFields
	// +optional
	Definition *runtime.RawExtension `json:"definition,omitempty"`

	// InitialPassword sets the initial password for the user (only on creation)
	// +optional
	InitialPassword *InitialPassword `json:"initialPassword,omitempty"`

	// UserSecret configures where to store user credentials
	// +optional
	UserSecret *UserSecretSpec `json:"userSecret,omitempty"`
}

type KeycloakUserStatus struct {
	// Ready indicates if the user is ready
	Ready bool `json:"ready"`

	// Status is a human-readable status message
	// +optional
	Status string `json:"status,omitempty"`

	// Message contains additional information
	// +optional
	Message string `json:"message,omitempty"`

	// ResourcePath is the Keycloak API path for this user
	// +optional
	ResourcePath string `json:"resourcePath,omitempty"`

	// UserID is the Keycloak internal user ID
	// +optional
	UserID string `json:"userID,omitempty"`

	// IsServiceAccount indicates if this user is a service account for a client
	// +optional
	IsServiceAccount bool `json:"isServiceAccount,omitempty"`

	// ClientID is the client UUID if this is a service account user
	// +optional
	ClientID string `json:"clientID,omitempty"`

	// Instance contains the resolved instance reference
	// +optional
	Instance *InstanceRef `json:"instance,omitempty"`

	// Realm contains the resolved realm reference
	// +optional
	Realm *RealmRef `json:"realm,omitempty"`

	// ObservedGeneration is the generation of the spec that was last processed
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Conditions represent the latest available observations
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type NamespacedRef struct {
	// Name of the resource
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Namespace of the resource
	// +kubebuilder:validation:Required
	Namespace string `json:"namespace"`
}

type OrganizationDefinition struct {
	// Name is the organization name (required)
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Alias is the URL-friendly identifier for the organization
	// +optional
	Alias string `json:"alias,omitempty"`

	// Description of the organization
	// +optional
	Description string `json:"description,omitempty"`

	// Enabled indicates whether the organization is enabled
	// +optional
	Enabled *bool `json:"enabled,omitempty"`

	// Domains associated with the organization
	// +optional
	Domains []OrganizationDomain `json:"domains,omitempty"`

	// Attributes for custom organization attributes
	// +optional
	Attributes map[string][]string `json:"attributes,omitempty"`
}

type OrganizationDomain struct {
	// Name is the domain name
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Verified indicates if the domain is verified
	// +optional
	Verified bool `json:"verified,omitempty"`
}

type PasswordPolicySpec struct {
	// Length is the password length (default 24)
	// +kubebuilder:default=24
	// +optional
	Length int `json:"length,omitempty"`

	// IncludeNumbers includes numbers in the password
	// +kubebuilder:default=true
	// +optional
	IncludeNumbers *bool `json:"includeNumbers,omitempty"`

	// IncludeSymbols includes symbols in the password
	// +kubebuilder:default=true
	// +optional
	IncludeSymbols *bool `json:"includeSymbols,omitempty"`
}

type ProtocolMapperDefinition struct {
	// Name is the mapper name (required)
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Protocol is the protocol (openid-connect or saml)
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Enum=openid-connect;saml
	Protocol string `json:"protocol"`

	// ProtocolMapper is the mapper type
	// +kubebuilder:validation:Required
	ProtocolMapper string `json:"protocolMapper"`

	// ConsentRequired indicates if consent is required
	// +optional
	ConsentRequired *bool `json:"consentRequired,omitempty"`

	// Config contains mapper configuration
	// +optional
	Config map[string]string `json:"config,omitempty"`
}

type RealmDefinition struct {
	// Realm is the realm name (unique identifier)
	// +kubebuilder:validation:Required
	Realm string `json:"realm"`

	// DisplayName is the display name of the realm
	// +optional
	DisplayName string `json:"displayName,omitempty"`

	// DisplayNameHtml is the HTML display name
	// +optional
	DisplayNameHtml string `json:"displayNameHtml,omitempty"`

	// Enabled indicates whether the realm is enabled
	// +optional
	Enabled *bool `json:"enabled,omitempty"`

	// RegistrationAllowed allows user self-registration
	// +optional
	RegistrationAllowed *bool `json:"registrationAllowed,omitempty"`

	// LoginWithEmailAllowed allows login with email
	// +optional
	LoginWithEmailAllowed *bool `json:"loginWithEmailAllowed,omitempty"`

	// DuplicateEmailsAllowed allows duplicate emails
	// +optional
	DuplicateEmailsAllowed *bool `json:"duplicateEmailsAllowed,omitempty"`

	// ResetPasswordAllowed enables password reset
	// +optional
	ResetPasswordAllowed *bool `json:"resetPasswordAllowed,omitempty"`

	// VerifyEmail requires email verification
	// +optional
	VerifyEmail *bool `json:"verifyEmail,omitempty"`

	// SslRequired specifies SSL requirement level
	// +optional
	// +kubebuilder:validation:Enum=all;external;none
	SslRequired string `json:"sslRequired,omitempty"`

	// AccessTokenLifespan in seconds
	// +optional
	AccessTokenLifespan *int32 `json:"accessTokenLifespan,omitempty"`

	// SsoSessionIdleTimeout in seconds
	// +optional
	SsoSessionIdleTimeout *int32 `json:"ssoSessionIdleTimeout,omitempty"`

	// SsoSessionMaxLifespan in seconds
	// +optional
	SsoSessionMaxLifespan *int32 `json:"ssoSessionMaxLifespan,omitempty"`

	// LoginTheme for the realm
	// +optional
	LoginTheme string `json:"loginTheme,omitempty"`

	// AccountTheme for the realm
	// +optional
	AccountTheme string `json:"accountTheme,omitempty"`

	// AdminTheme for the realm
	// +optional
	AdminTheme string `json:"adminTheme,omitempty"`

	// EmailTheme for the realm
	// +optional
	EmailTheme string `json:"emailTheme,omitempty"`

	// InternationalizationEnabled enables i18n
	// +optional
	InternationalizationEnabled *bool `json:"internationalizationEnabled,omitempty"`

	// SupportedLocales list of supported locales
	// +optional
	SupportedLocales []string `json:"supportedLocales,omitempty"`

	// DefaultLocale for the realm
	// +optional
	DefaultLocale string `json:"defaultLocale,omitempty"`

	// BruteForceProtected enables brute force protection
	// +optional
	BruteForceProtected *bool `json:"bruteForceProtected,omitempty"`

	// SmtpServer configuration
	// +optional
	SmtpServer map[string]string `json:"smtpServer,omitempty"`

	// Attributes for custom attributes
	// +optional
	Attributes map[string]string `json:"attributes,omitempty"`
}

type RealmRef struct {
	// RealmRef is the name of the namespaced realm
	// +optional
	RealmRef string `json:"realmRef,omitempty"`

	// ClusterRealmRef is the name of the cluster realm
	// +optional
	ClusterRealmRef string `json:"clusterRealmRef,omitempty"`
}

type ResourceRef struct {
	// Name of the resource
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Namespace of the resource (optional, defaults to the same namespace)
	// +optional
	Namespace *string `json:"namespace,omitempty"`
}

type RoleDefinition struct {
	// Name is the role name
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// ClientRef references a KeycloakClient for client-level roles
	// If not specified, the role is a realm-level role
	// +optional
	ClientRef *ResourceRef `json:"clientRef,omitempty"`

	// ClientID is the client ID for client-level roles (alternative to ClientRef)
	// +optional
	ClientID *string `json:"clientId,omitempty"`
}

type RoleMappingSubject struct {
	// UserRef references a KeycloakUser
	// +optional
	UserRef *ResourceRef `json:"userRef,omitempty"`

	// GroupRef references a KeycloakGroup
	// +optional
	GroupRef *ResourceRef `json:"groupRef,omitempty"`
}

type RoleRepresentation struct {
	// Name is the role name (required)
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Description of the role
	// +optional
	Description string `json:"description,omitempty"`

	// Composite indicates if this is a composite role
	// +optional
	Composite *bool `json:"composite,omitempty"`

	// ClientRole indicates if this is a client role
	// +optional
	ClientRole *bool `json:"clientRole,omitempty"`

	// ContainerId is the container ID (realm or client ID)
	// +optional
	ContainerId string `json:"containerId,omitempty"`

	// Attributes for custom role attributes
	// +optional
	Attributes map[string][]string `json:"attributes,omitempty"`
}

type SecretRefSpec struct {
	// Name is the name of the secret
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// Namespace is the namespace of the secret (defaults to resource namespace)
	// +optional
	Namespace *string `json:"namespace,omitempty"`

	// UsernameKey is the key in the secret for the username (defaults to "username")
	// +kubebuilder:default="username"
	// +optional
	UsernameKey string `json:"usernameKey,omitempty"`

	// PasswordKey is the key in the secret for the password (defaults to "password")
	// +kubebuilder:default="password"
	// +optional
	PasswordKey string `json:"passwordKey,omitempty"`
}

type SmtpSecretRefSpec struct {
	// Name of the Kubernetes Secret
	// +kubebuilder:validation:Required
	Name string `json:"name"`

	// UserKey is the key in the secret for the SMTP username (defaults to "user")
	// +kubebuilder:default="user"
	// +optional
	UserKey string `json:"userKey,omitempty"`

	// PasswordKey is the key in the secret for the SMTP password (defaults to "password")
	// +kubebuilder:default="password"
	// +optional
	PasswordKey string `json:"passwordKey,omitempty"`
}

type TokenSpec struct {
	// SecretName is the name of the secret to cache the token
	// +optional
	SecretName *string `json:"secretName,omitempty"`

	// TokenKey is the key in the secret for the token
	// +optional
	TokenKey *string `json:"tokenKey,omitempty"`

	// ExpiresKey is the key in the secret for the token expiration
	// +optional
	ExpiresKey *string `json:"expiresKey,omitempty"`
}

type UserDefinition struct {
	// Username is the unique username
	// +kubebuilder:validation:Required
	Username string `json:"username"`

	// Email address
	// +optional
	Email string `json:"email,omitempty"`

	// EmailVerified indicates if email is verified
	// +optional
	EmailVerified *bool `json:"emailVerified,omitempty"`

	// FirstName of the user
	// +optional
	FirstName string `json:"firstName,omitempty"`

	// LastName of the user
	// +optional
	LastName string `json:"lastName,omitempty"`

	// Enabled indicates if the user is enabled
	// +optional
	Enabled *bool `json:"enabled,omitempty"`

	// Groups the user belongs to
	// +optional
	Groups []string `json:"groups,omitempty"`

	// RealmRoles assigned to the user
	// +optional
	RealmRoles []string `json:"realmRoles,omitempty"`

	// ClientRoles assigned to the user (map of client to roles)
	// +optional
	ClientRoles map[string][]string `json:"clientRoles,omitempty"`

	// RequiredActions for the user
	// +optional
	RequiredActions []string `json:"requiredActions,omitempty"`

	// Attributes for custom user attributes
	// +optional
	Attributes map[string][]string `json:"attributes,omitempty"`

	// Credentials for the user (e.g., password)
	// +optional
	Credentials []CredentialRepresentation `json:"credentials,omitempty"`
}

type UserSecretSpec struct {
	// SecretName is the name of the Kubernetes secret to create
	// +kubebuilder:validation:Required
	SecretName string `json:"secretName"`

	// UsernameKey is the key for the username in the secret (defaults to "username")
	// +optional
	UsernameKey *string `json:"usernameKey,omitempty"`

	// PasswordKey is the key for the password (defaults to "password")
	// +optional
	PasswordKey *string `json:"passwordKey,omitempty"`

	// GeneratePassword indicates whether to generate a password
	// +optional
	GeneratePassword *bool `json:"generatePassword,omitempty"`
}