From 2f82574d298c432a31f1c38088ad19783e73b979 Mon Sep 17 00:00:00 2001
From: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Date: Tue, 31 Mar 2026 15:24:51 +0100
Subject: [PATCH] Remove configMapRef from MCPOIDCConfig
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since MCPOIDCConfig is a dedicated typed CRD, there is no need
for a configMapRef indirection — the type's own fields should
always be used inline. This simplifies the CEL union to just
kubernetesServiceAccount or inline.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 rfcs/THV-0023-crd-v1beta1-optimization.md | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/rfcs/THV-0023-crd-v1beta1-optimization.md b/rfcs/THV-0023-crd-v1beta1-optimization.md
index bae3f1b..d39d550 100644
--- a/rfcs/THV-0023-crd-v1beta1-optimization.md
+++ b/rfcs/THV-0023-crd-v1beta1-optimization.md
@@ -195,10 +195,6 @@ spec:
     requiredClaims:
       iss: https://kubernetes.default.svc
   # OR
-  configMapRef:
-    name: oidc-config
-    key: oidc.json
-  # OR
   inline:
     issuer: https://keycloak.example.com/realms/prod
     clientId: toolhive-client
@@ -226,7 +222,7 @@ status:
 ```
 
 **Key design decisions:**
-- CEL validation ensures exactly one of `kubernetesServiceAccount`, `configMapRef`, or `inline` is set
+- CEL validation ensures exactly one of `kubernetesServiceAccount` or `inline` is set
 - `audience` and `scopes` are intentionally excluded from the shared config - they are per-server fields specified in the reference
 
 #### New CRD 2: MCPTelemetryConfig
@@ -503,7 +499,7 @@ CRDs use CEL (Common Expression Language) for admission-time validation:
 
 | CRD | Rule | Validation |
 |-----|------|------------|
-| MCPOIDCConfig | Exactly one source | `kubernetesServiceAccount`, `configMapRef`, or `inline` - only one allowed |
+| MCPOIDCConfig | Exactly one source | `kubernetesServiceAccount` or `inline` - only one allowed |
 | MCPAuthzConfig | Exactly one source | `configMapRef` or `inline` - only one allowed |
 | MCPServerSpec | Transport/port consistency | `mcpPort` cannot be set when transport is `stdio` |
 | IncomingAuthConfig | Auth mode selection | Either `oidcConfigRef` or `anonymous` - only one allowed |