From 4985263516803f410ab4d973a8c284343d51a7ce Mon Sep 17 00:00:00 2001
From: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
Date: Fri, 24 Oct 2025 17:22:39 +0100
Subject: [PATCH 1/2] adds inlineOIDC config to CRDs

Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
---
 deploy/charts/operator-crds/Chart.yaml        |  2 +-
 deploy/charts/operator-crds/README.md         |  2 +-
 ...oolhive.stacklok.dev_mcpremoteproxies.yaml | 20 +++++++++++++++++--
 .../toolhive.stacklok.dev_mcpservers.yaml     | 20 +++++++++++++++++--
 4 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/deploy/charts/operator-crds/Chart.yaml b/deploy/charts/operator-crds/Chart.yaml
index 65a46ce80..a82404093 100644
--- a/deploy/charts/operator-crds/Chart.yaml
+++ b/deploy/charts/operator-crds/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: toolhive-operator-crds
 description: A Helm chart for installing the ToolHive Operator CRDs into Kubernetes.
 type: application
-version: 0.0.43
+version: 0.0.44
 appVersion: "0.0.1"
diff --git a/deploy/charts/operator-crds/README.md b/deploy/charts/operator-crds/README.md
index e90c42740..d161dfcbc 100644
--- a/deploy/charts/operator-crds/README.md
+++ b/deploy/charts/operator-crds/README.md
@@ -1,7 +1,7 @@
 
 # ToolHive Operator CRDs Helm Chart
 
-![Version: 0.0.43](https://img.shields.io/badge/Version-0.0.43-informational?style=flat-square)
+![Version: 0.0.44](https://img.shields.io/badge/Version-0.0.44-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for installing the ToolHive Operator CRDs into Kubernetes.
diff --git a/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpremoteproxies.yaml b/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpremoteproxies.yaml
index 448757c04..0943cdbf4 100644
--- a/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpremoteproxies.yaml
+++ b/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpremoteproxies.yaml
@@ -158,9 +158,25 @@ spec:
                         description: ClientID is the OIDC client ID
                         type: string
                       clientSecret:
-                        description: ClientSecret is the client secret for introspection
-                          (optional)
+                        description: |-
+                          ClientSecret is the client secret for introspection (optional)
+                          Deprecated: Use ClientSecretRef instead for better security
                         type: string
+                      clientSecretRef:
+                        description: |-
+                          ClientSecretRef is a reference to a Kubernetes Secret containing the client secret
+                          If both ClientSecret and ClientSecretRef are provided, ClientSecretRef takes precedence
+                        properties:
+                          key:
+                            description: Key is the key within the secret
+                            type: string
+                          name:
+                            description: Name is the name of the secret
+                            type: string
+                        required:
+                        - key
+                        - name
+                        type: object
                       insecureAllowHTTP:
                         default: false
                         description: |-
diff --git a/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpservers.yaml b/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpservers.yaml
index 695e12e84..446ab72f6 100644
--- a/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpservers.yaml
+++ b/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpservers.yaml
@@ -182,9 +182,25 @@ spec:
                         description: ClientID is the OIDC client ID
                         type: string
                       clientSecret:
-                        description: ClientSecret is the client secret for introspection
-                          (optional)
+                        description: |-
+                          ClientSecret is the client secret for introspection (optional)
+                          Deprecated: Use ClientSecretRef instead for better security
                         type: string
+                      clientSecretRef:
+                        description: |-
+                          ClientSecretRef is a reference to a Kubernetes Secret containing the client secret
+                          If both ClientSecret and ClientSecretRef are provided, ClientSecretRef takes precedence
+                        properties:
+                          key:
+                            description: Key is the key within the secret
+                            type: string
+                          name:
+                            description: Name is the name of the secret
+                            type: string
+                        required:
+                        - key
+                        - name
+                        type: object
                       insecureAllowHTTP:
                         default: false
                         description: |-

From 150d4180c00138eb7fa86fdd7f60bd6bd9b7c7bf Mon Sep 17 00:00:00 2001
From: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
Date: Fri, 24 Oct 2025 18:07:18 +0100
Subject: [PATCH 2/2] pecify chart dirs for order

Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
---
 ct-install.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ct-install.yaml b/ct-install.yaml
index ee24e5d7e..bfbd67fbd 100644
--- a/ct-install.yaml
+++ b/ct-install.yaml
@@ -2,7 +2,8 @@
 # See: https://github.com/helm/chart-testing
 
 chart-dirs:
-  - deploy/charts
+  - deploy/charts/operator-crds
+  - deploy/charts/operator
 validate-maintainers: false
 remote: origin
 target-branch: main