diff --git a/edp-keycloak-operator/README.md b/edp-keycloak-operator/README.md
new file mode 100644
index 00000000..45a5f358
--- /dev/null
+++ b/edp-keycloak-operator/README.md
@@ -0,0 +1,1240 @@
+# edp-keycloak-operator
+
+## Index
+
+- v1
+  - [Keycloak](#keycloak)
+  - [KeycloakAuthFlow](#keycloakauthflow)
+  - [KeycloakClient](#keycloakclient)
+  - [KeycloakClientScope](#keycloakclientscope)
+  - [KeycloakRealm](#keycloakrealm)
+  - [KeycloakRealmComponent](#keycloakrealmcomponent)
+  - [KeycloakRealmGroup](#keycloakrealmgroup)
+  - [KeycloakRealmIdentityProvider](#keycloakrealmidentityprovider)
+  - [KeycloakRealmRole](#keycloakrealmrole)
+  - [KeycloakRealmRoleBatch](#keycloakrealmrolebatch)
+  - [KeycloakRealmUser](#keycloakrealmuser)
+  - [V1EdpEpamComV1KeycloakAuthFlowSpec](#v1edpepamcomv1keycloakauthflowspec)
+  - [V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0](#v1edpepamcomv1keycloakauthflowspecauthenticationexecutionsitems0)
+  - [V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0AuthenticatorConfig](#v1edpepamcomv1keycloakauthflowspecauthenticationexecutionsitems0authenticatorconfig)
+  - [V1EdpEpamComV1KeycloakAuthFlowSpecRealmRef](#v1edpepamcomv1keycloakauthflowspecrealmref)
+  - [V1EdpEpamComV1KeycloakAuthFlowStatus](#v1edpepamcomv1keycloakauthflowstatus)
+  - [V1EdpEpamComV1KeycloakClientScopeSpec](#v1edpepamcomv1keycloakclientscopespec)
+  - [V1EdpEpamComV1KeycloakClientScopeSpecProtocolMappersItems0](#v1edpepamcomv1keycloakclientscopespecprotocolmappersitems0)
+  - [V1EdpEpamComV1KeycloakClientScopeSpecRealmRef](#v1edpepamcomv1keycloakclientscopespecrealmref)
+  - [V1EdpEpamComV1KeycloakClientScopeStatus](#v1edpepamcomv1keycloakclientscopestatus)
+  - [V1EdpEpamComV1KeycloakClientSpec](#v1edpepamcomv1keycloakclientspec)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorization](#v1edpepamcomv1keycloakclientspecauthorization)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPermissionsItems0](#v1edpepamcomv1keycloakclientspecauthorizationpermissionsitems0)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0AggregatedPolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0aggregatedpolicy)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0ClientPolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0clientpolicy)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0grouppolicy)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicyGroupsItems0](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0grouppolicygroupsitems0)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0rolepolicy)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicyRolesItems0](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0rolepolicyrolesitems0)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0TimePolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0timepolicy)
+  - [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0UserPolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0userpolicy)
+  - [V1EdpEpamComV1KeycloakClientSpecProtocolMappersItems0](#v1edpepamcomv1keycloakclientspecprotocolmappersitems0)
+  - [V1EdpEpamComV1KeycloakClientSpecRealmRef](#v1edpepamcomv1keycloakclientspecrealmref)
+  - [V1EdpEpamComV1KeycloakClientSpecRealmRolesItems0](#v1edpepamcomv1keycloakclientspecrealmrolesitems0)
+  - [V1EdpEpamComV1KeycloakClientSpecServiceAccount](#v1edpepamcomv1keycloakclientspecserviceaccount)
+  - [V1EdpEpamComV1KeycloakClientSpecServiceAccountClientRolesItems0](#v1edpepamcomv1keycloakclientspecserviceaccountclientrolesitems0)
+  - [V1EdpEpamComV1KeycloakClientStatus](#v1edpepamcomv1keycloakclientstatus)
+  - [V1EdpEpamComV1KeycloakRealmComponentSpec](#v1edpepamcomv1keycloakrealmcomponentspec)
+  - [V1EdpEpamComV1KeycloakRealmComponentSpecParentRef](#v1edpepamcomv1keycloakrealmcomponentspecparentref)
+  - [V1EdpEpamComV1KeycloakRealmComponentSpecRealmRef](#v1edpepamcomv1keycloakrealmcomponentspecrealmref)
+  - [V1EdpEpamComV1KeycloakRealmComponentStatus](#v1edpepamcomv1keycloakrealmcomponentstatus)
+  - [V1EdpEpamComV1KeycloakRealmGroupSpec](#v1edpepamcomv1keycloakrealmgroupspec)
+  - [V1EdpEpamComV1KeycloakRealmGroupSpecClientRolesItems0](#v1edpepamcomv1keycloakrealmgroupspecclientrolesitems0)
+  - [V1EdpEpamComV1KeycloakRealmGroupSpecRealmRef](#v1edpepamcomv1keycloakrealmgroupspecrealmref)
+  - [V1EdpEpamComV1KeycloakRealmGroupStatus](#v1edpepamcomv1keycloakrealmgroupstatus)
+  - [V1EdpEpamComV1KeycloakRealmIdentityProviderSpec](#v1edpepamcomv1keycloakrealmidentityproviderspec)
+  - [V1EdpEpamComV1KeycloakRealmIdentityProviderSpecMappersItems0](#v1edpepamcomv1keycloakrealmidentityproviderspecmappersitems0)
+  - [V1EdpEpamComV1KeycloakRealmIdentityProviderSpecRealmRef](#v1edpepamcomv1keycloakrealmidentityproviderspecrealmref)
+  - [V1EdpEpamComV1KeycloakRealmIdentityProviderStatus](#v1edpepamcomv1keycloakrealmidentityproviderstatus)
+  - [V1EdpEpamComV1KeycloakRealmRoleBatchSpec](#v1edpepamcomv1keycloakrealmrolebatchspec)
+  - [V1EdpEpamComV1KeycloakRealmRoleBatchSpecRealmRef](#v1edpepamcomv1keycloakrealmrolebatchspecrealmref)
+  - [V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0](#v1edpepamcomv1keycloakrealmrolebatchspecrolesitems0)
+  - [V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0CompositesItems0](#v1edpepamcomv1keycloakrealmrolebatchspecrolesitems0compositesitems0)
+  - [V1EdpEpamComV1KeycloakRealmRoleBatchStatus](#v1edpepamcomv1keycloakrealmrolebatchstatus)
+  - [V1EdpEpamComV1KeycloakRealmRoleSpec](#v1edpepamcomv1keycloakrealmrolespec)
+  - [V1EdpEpamComV1KeycloakRealmRoleSpecCompositesClientRolesItems0](#v1edpepamcomv1keycloakrealmrolespeccompositesclientrolesitems0)
+  - [V1EdpEpamComV1KeycloakRealmRoleSpecCompositesItems0](#v1edpepamcomv1keycloakrealmrolespeccompositesitems0)
+  - [V1EdpEpamComV1KeycloakRealmRoleSpecRealmRef](#v1edpepamcomv1keycloakrealmrolespecrealmref)
+  - [V1EdpEpamComV1KeycloakRealmRoleStatus](#v1edpepamcomv1keycloakrealmrolestatus)
+  - [V1EdpEpamComV1KeycloakRealmSpec](#v1edpepamcomv1keycloakrealmspec)
+  - [V1EdpEpamComV1KeycloakRealmSpecKeycloakRef](#v1edpepamcomv1keycloakrealmspeckeycloakref)
+  - [V1EdpEpamComV1KeycloakRealmSpecPasswordPolicyItems0](#v1edpepamcomv1keycloakrealmspecpasswordpolicyitems0)
+  - [V1EdpEpamComV1KeycloakRealmSpecRealmEventConfig](#v1edpepamcomv1keycloakrealmspecrealmeventconfig)
+  - [V1EdpEpamComV1KeycloakRealmSpecThemes](#v1edpepamcomv1keycloakrealmspecthemes)
+  - [V1EdpEpamComV1KeycloakRealmSpecTokenSettings](#v1edpepamcomv1keycloakrealmspectokensettings)
+  - [V1EdpEpamComV1KeycloakRealmSpecUsersItems0](#v1edpepamcomv1keycloakrealmspecusersitems0)
+  - [V1EdpEpamComV1KeycloakRealmStatus](#v1edpepamcomv1keycloakrealmstatus)
+  - [V1EdpEpamComV1KeycloakRealmUserSpec](#v1edpepamcomv1keycloakrealmuserspec)
+  - [V1EdpEpamComV1KeycloakRealmUserSpecPasswordSecret](#v1edpepamcomv1keycloakrealmuserspecpasswordsecret)
+  - [V1EdpEpamComV1KeycloakRealmUserSpecRealmRef](#v1edpepamcomv1keycloakrealmuserspecrealmref)
+  - [V1EdpEpamComV1KeycloakRealmUserStatus](#v1edpepamcomv1keycloakrealmuserstatus)
+  - [V1EdpEpamComV1KeycloakSpec](#v1edpepamcomv1keycloakspec)
+  - [V1EdpEpamComV1KeycloakSpecCaCert](#v1edpepamcomv1keycloakspeccacert)
+  - [V1EdpEpamComV1KeycloakSpecCaCertConfigMapKeyRef](#v1edpepamcomv1keycloakspeccacertconfigmapkeyref)
+  - [V1EdpEpamComV1KeycloakSpecCaCertSecretKeyRef](#v1edpepamcomv1keycloakspeccacertsecretkeyref)
+  - [V1EdpEpamComV1KeycloakStatus](#v1edpepamcomv1keycloakstatus)
+- v1alpha1
+  - [ClusterKeycloak](#clusterkeycloak)
+  - [ClusterKeycloakRealm](#clusterkeycloakrealm)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpec](#v1edpepamcomv1alpha1clusterkeycloakrealmspec)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecAuthenticationFlows](#v1edpepamcomv1alpha1clusterkeycloakrealmspecauthenticationflows)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecLocalization](#v1edpepamcomv1alpha1clusterkeycloakrealmspeclocalization)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecPasswordPolicyItems0](#v1edpepamcomv1alpha1clusterkeycloakrealmspecpasswordpolicyitems0)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecRealmEventConfig](#v1edpepamcomv1alpha1clusterkeycloakrealmspecrealmeventconfig)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecThemes](#v1edpepamcomv1alpha1clusterkeycloakrealmspecthemes)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecTokenSettings](#v1edpepamcomv1alpha1clusterkeycloakrealmspectokensettings)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakRealmStatus](#v1edpepamcomv1alpha1clusterkeycloakrealmstatus)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakSpec](#v1edpepamcomv1alpha1clusterkeycloakspec)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCert](#v1edpepamcomv1alpha1clusterkeycloakspeccacert)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertConfigMapKeyRef](#v1edpepamcomv1alpha1clusterkeycloakspeccacertconfigmapkeyref)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertSecretKeyRef](#v1edpepamcomv1alpha1clusterkeycloakspeccacertsecretkeyref)
+  - [V1EdpEpamComV1alpha1ClusterKeycloakStatus](#v1edpepamcomv1alpha1clusterkeycloakstatus)
+
+## Schemas
+
+### Keycloak
+
+Keycloak is the Schema for the keycloaks API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"Keycloak"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"Keycloak"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakSpec](#v1edpepamcomv1keycloakspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakStatus](#v1edpepamcomv1keycloakstatus)|status||
+### KeycloakAuthFlow
+
+KeycloakAuthFlow is the Schema for the keycloak authentication flow API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakAuthFlow"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakAuthFlow"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakAuthFlowSpec](#v1edpepamcomv1keycloakauthflowspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakAuthFlowStatus](#v1edpepamcomv1keycloakauthflowstatus)|status||
+### KeycloakClient
+
+KeycloakClient is the Schema for the keycloak clients API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakClient"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakClient"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakClientSpec](#v1edpepamcomv1keycloakclientspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakClientStatus](#v1edpepamcomv1keycloakclientstatus)|status||
+### KeycloakClientScope
+
+KeycloakClientScope is the Schema for the keycloakclientscopes API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakClientScope"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakClientScope"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakClientScopeSpec](#v1edpepamcomv1keycloakclientscopespec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakClientScopeStatus](#v1edpepamcomv1keycloakclientscopestatus)|status||
+### KeycloakRealm
+
+KeycloakRealm is the Schema for the keycloak realms API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakRealm"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakRealm"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakRealmSpec](#v1edpepamcomv1keycloakrealmspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakRealmStatus](#v1edpepamcomv1keycloakrealmstatus)|status||
+### KeycloakRealmComponent
+
+KeycloakRealmComponent is the Schema for the keycloak component API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakRealmComponent"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakRealmComponent"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakRealmComponentSpec](#v1edpepamcomv1keycloakrealmcomponentspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakRealmComponentStatus](#v1edpepamcomv1keycloakrealmcomponentstatus)|status||
+### KeycloakRealmGroup
+
+KeycloakRealmGroup is the Schema for the keycloak group API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakRealmGroup"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakRealmGroup"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakRealmGroupSpec](#v1edpepamcomv1keycloakrealmgroupspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakRealmGroupStatus](#v1edpepamcomv1keycloakrealmgroupstatus)|status||
+### KeycloakRealmIdentityProvider
+
+KeycloakRealmIdentityProvider is the Schema for the keycloak realm identity provider API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakRealmIdentityProvider"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakRealmIdentityProvider"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakRealmIdentityProviderSpec](#v1edpepamcomv1keycloakrealmidentityproviderspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakRealmIdentityProviderStatus](#v1edpepamcomv1keycloakrealmidentityproviderstatus)|status||
+### KeycloakRealmRole
+
+KeycloakRealmRole is the Schema for the keycloak group API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakRealmRole"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakRealmRole"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakRealmRoleSpec](#v1edpepamcomv1keycloakrealmrolespec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakRealmRoleStatus](#v1edpepamcomv1keycloakrealmrolestatus)|status||
+### KeycloakRealmRoleBatch
+
+KeycloakRealmRoleBatch is the Schema for the keycloak roles API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakRealmRoleBatch"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakRealmRoleBatch"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakRealmRoleBatchSpec](#v1edpepamcomv1keycloakrealmrolebatchspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakRealmRoleBatchStatus](#v1edpepamcomv1keycloakrealmrolebatchstatus)|status||
+### KeycloakRealmUser
+
+KeycloakRealmUser is the Schema for the keycloak user API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1"|
+|**kind** `required` `readOnly`|"KeycloakRealmUser"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"KeycloakRealmUser"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1KeycloakRealmUserSpec](#v1edpepamcomv1keycloakrealmuserspec)|spec||
+|**status**|[V1EdpEpamComV1KeycloakRealmUserStatus](#v1edpepamcomv1keycloakrealmuserstatus)|status||
+### V1EdpEpamComV1KeycloakAuthFlowSpec
+
+KeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**alias** `required`|str|Alias is display name for authentication flow.||
+|**authenticationExecutions**|[[V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0](#v1edpepamcomv1keycloakauthflowspecauthenticationexecutionsitems0)]|AuthenticationExecutions is list of authentication executions for this auth flow.||
+|**builtIn** `required`|bool|BuiltIn is true if this is built-in auth flow.||
+|**childRequirement**|str|ChildRequirement is requirement for child execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.||
+|**childType**|str|ChildType is type for auth flow if it has a parent, available options: basic-flow, form-flow||
+|**description**|str|Description is description for authentication flow.||
+|**parentName**|str|ParentName is name of parent auth flow.||
+|**providerId** `required`|str|ProviderID for root auth flow and provider for child auth flows.||
+|**realm**|str|Deprecated: use RealmRef instead.<br />Realm is name of KeycloakRealm custom resource.||
+|**realmRef**|[V1EdpEpamComV1KeycloakAuthFlowSpecRealmRef](#v1edpepamcomv1keycloakauthflowspecrealmref)|realm ref||
+|**topLevel** `required`|bool|TopLevel is true if this is root auth flow.||
+### V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0
+
+AuthenticationExecution defines keycloak authentication execution.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**alias**|str|Alias is display name for this execution.||
+|**authenticator**|str|Authenticator is name of authenticator.||
+|**authenticatorConfig**|[V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0AuthenticatorConfig](#v1edpepamcomv1keycloakauthflowspecauthenticationexecutionsitems0authenticatorconfig)|authenticator config||
+|**authenticatorFlow**|bool|AuthenticatorFlow is true if this is auth flow.||
+|**priority**|int|Priority is priority for this execution. Lower values have higher priority.||
+|**requirement**|str|Requirement is requirement for this execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.||
+### V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0AuthenticatorConfig
+
+AuthenticatorConfig is configuration for authenticator.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**alias**|str|Alias is display name for authenticator config.||
+|**config**|{str:str}|Config is configuration for authenticator.||
+### V1EdpEpamComV1KeycloakAuthFlowSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakAuthFlowStatus
+
+KeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**failureCount**|int|failure count||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakClientScopeSpec
+
+KeycloakClientScopeSpec defines the desired state of KeycloakClientScope.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**attributes**|{str:str}|Attributes is a map of client scope attributes.||
+|**default**|bool|Default is a flag to set client scope as default.||
+|**description**|str|Description is a description of client scope.||
+|**name** `required`|str|Name of keycloak client scope.||
+|**protocol** `required`|str|||
+|**protocolMappers**|[[V1EdpEpamComV1KeycloakClientScopeSpecProtocolMappersItems0](#v1edpepamcomv1keycloakclientscopespecprotocolmappersitems0)]|ProtocolMappers is a list of protocol mappers assigned to client scope.||
+|**realm**|str|Deprecated: use RealmRef instead.<br />Realm is name of KeycloakRealm custom resource.||
+|**realmRef**|[V1EdpEpamComV1KeycloakClientScopeSpecRealmRef](#v1edpepamcomv1keycloakclientscopespecrealmref)|realm ref||
+### V1EdpEpamComV1KeycloakClientScopeSpecProtocolMappersItems0
+
+v1 edp epam com v1 keycloak client scope spec protocol mappers items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**config**|{str:str}|Config is a map of protocol mapper configuration.||
+|**name**|str|Name is a protocol mapper name.||
+|**protocol**|str|||
+|**protocolMapper**|str|ProtocolMapper is a protocol mapper name.||
+### V1EdpEpamComV1KeycloakClientScopeSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakClientScopeStatus
+
+KeycloakClientScopeStatus defines the observed state of KeycloakClientScope.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**failureCount**|int|failure count||
+|**id**|str|id||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakClientSpec
+
+KeycloakClientSpec defines the desired state of KeycloakClient.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**advancedProtocolMappers**|bool|AdvancedProtocolMappers is a flag to enable advanced protocol mappers.||
+|**attributes**|{str:str}|Attributes is a map of client attributes.|{"post.logout.redirect.uris": "+"}|
+|**authorization**|[V1EdpEpamComV1KeycloakClientSpecAuthorization](#v1edpepamcomv1keycloakclientspecauthorization)|authorization||
+|**authorizationServicesEnabled**|bool|ServiceAccountsEnabled enable/disable fine-grained authorization support for a client.||
+|**bearerOnly**|bool|BearerOnly is a flag to enable bearer-only.||
+|**clientAuthenticatorType**|str|ClientAuthenticatorType is a client authenticator type.|"client-secret"|
+|**clientId** `required`|str|ClientId is a unique keycloak client ID referenced in URI and tokens.||
+|**clientRoles**|[str]|ClientRoles is a list of client roles names assigned to client.||
+|**consentRequired**|bool|ConsentRequired is a flag to enable consent.||
+|**defaultClientScopes**|[str]|DefaultClientScopes is a list of default client scopes assigned to client.||
+|**description**|str|Description is a client description.||
+|**directAccess**|bool|DirectAccess is a flag to set client as direct access.||
+|**enabled**|bool|Enabled is a flag to enable client.|True|
+|**frontChannelLogout**|bool|FrontChannelLogout is a flag to enable front channel logout.||
+|**fullScopeAllowed**|bool|FullScopeAllowed is a flag to enable full scope.|True|
+|**implicitFlowEnabled**|bool|ImplicitFlowEnabled is a flag to enable support for OpenID Connect redirect based authentication without authorization code.||
+|**name**|str|Name is a client name.||
+|**optionalClientScopes**|[str]|OptionalClientScopes is a list of optional client scopes assigned to client.||
+|**protocol**|str|||
+|**protocolMappers**|[[V1EdpEpamComV1KeycloakClientSpecProtocolMappersItems0](#v1edpepamcomv1keycloakclientspecprotocolmappersitems0)]|ProtocolMappers is a list of protocol mappers assigned to client.||
+|**public**|bool|Public is a flag to set client as public.||
+|**realmRef**|[V1EdpEpamComV1KeycloakClientSpecRealmRef](#v1edpepamcomv1keycloakclientspecrealmref)|realm ref||
+|**realmRoles**|[[V1EdpEpamComV1KeycloakClientSpecRealmRolesItems0](#v1edpepamcomv1keycloakclientspecrealmrolesitems0)]|RealmRoles is a list of realm roles assigned to client.||
+|**reconciliationStrategy**|"full" | "addOnly"|ReconciliationStrategy is a strategy to reconcile client.||
+|**redirectUris**|[str]|RedirectUris is a list of valid URI pattern a browser can redirect to after a successful login.<br />Simple wildcards are allowed such as 'https://example.com/*'.<br />Relative path can be specified too, such as /my/relative/path/*. Relative paths are relative to the client root URL.<br />If not specified, spec.webUrl + "/*" will be used.||
+|**secret**|str|Secret is kubernetes secret name where the client's secret will be stored.<br />Secret should have the following format: $secretName:secretKey.<br />If not specified, a client secret will be generated and stored in a secret with the name keycloak-client-{metadata.name}-secret.<br />If keycloak client is public, secret property will be ignored.||
+|**serviceAccount**|[V1EdpEpamComV1KeycloakClientSpecServiceAccount](#v1edpepamcomv1keycloakclientspecserviceaccount)|service account||
+|**standardFlowEnabled**|bool|StandardFlowEnabled is a flag to enable standard flow.|True|
+|**surrogateAuthRequired**|bool|SurrogateAuthRequired is a flag to enable surrogate auth.||
+|**targetRealm**|str|Deprecated: use RealmRef instead.<br />TargetRealm is a realm name where client will be created.<br />It has higher priority than RealmRef for backward compatibility.<br />If both TargetRealm and RealmRef are specified, TargetRealm will be used for client creation.||
+|**webOrigins**|[str]|WebOrigins is a list of allowed CORS origins.<br />To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though.<br />To permit all origins, explicitly add '*'.<br />If not specified, the value from `WebUrl` is used||
+|**webUrl**|str|WebUrl is a client web url.||
+### V1EdpEpamComV1KeycloakClientSpecAuthorization
+
+Authorization is a client authorization configuration.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**permissions**|[[V1EdpEpamComV1KeycloakClientSpecAuthorizationPermissionsItems0](#v1edpepamcomv1keycloakclientspecauthorizationpermissionsitems0)]|permissions||
+|**policies**|[[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0)]|policies||
+|**scopes**|[str]|scopes||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPermissionsItems0
+
+v1 edp epam com v1 keycloak client spec authorization permissions items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**decisionStrategy**|"UNANIMOUS" | "AFFIRMATIVE" | "CONSENSUS"|DecisionStrategy is a permission decision strategy.|"UNANIMOUS"|
+|**description**|str|Description is a permission description.||
+|**logic**|"POSITIVE" | "NEGATIVE"|Logic is a permission logic.|"POSITIVE"|
+|**name** `required`|str|Name is a permission name.||
+|**policies**|[str]|Policies is a list of policies names.<br />Specifies all the policies that must be applied to the scopes defined by this policy or permission.||
+|**resources**|[str]|Resources is a list of resources names.<br />Specifies that this permission must be applied to all resource instances of a given type.||
+|**scopes**|[str]|Scopes is a list of authorization scopes names.<br />Specifies that this permission must be applied to one or more scopes.||
+|**type** `required`|"resource" | "scope"|||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0
+
+Policy represents a client authorization policy.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**aggregatedPolicy**|[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0AggregatedPolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0aggregatedpolicy)|aggregated policy||
+|**clientPolicy**|[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0ClientPolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0clientpolicy)|client policy||
+|**decisionStrategy**|"UNANIMOUS" | "AFFIRMATIVE" | "CONSENSUS"|DecisionStrategy is a policy decision strategy.|"UNANIMOUS"|
+|**description**|str|Description is a policy description.||
+|**groupPolicy**|[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0grouppolicy)|group policy||
+|**logic**|"POSITIVE" | "NEGATIVE"|Logic is a policy logic.|"POSITIVE"|
+|**name** `required`|str|Name is a policy name.||
+|**rolePolicy**|[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0rolepolicy)|role policy||
+|**timePolicy**|[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0TimePolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0timepolicy)|time policy||
+|**type** `required`|"aggregate" | "client" | "group" | "role" | "time" | "user"|||
+|**userPolicy**|[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0UserPolicy](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0userpolicy)|user policy||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0AggregatedPolicy
+
+AggregatedPolicy is an aggregated policy settings.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**policies** `required`|[str]|Policies is a list of aggregated policies names.<br />Specifies all the policies that must be applied to the scopes defined by this policy or permission.||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0ClientPolicy
+
+ClientPolicy is a client policy settings.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**clients** `required`|[str]|Clients is a list of client names. Specifies which client(s) are allowed by this policy.||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicy
+
+GroupPolicy is a group policy settings.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**groups**|[[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicyGroupsItems0](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0grouppolicygroupsitems0)]|Groups is a list of group names. Specifies which group(s) are allowed by this policy.||
+|**groupsClaim**|str|GroupsClaim is a group claim.<br />If defined, the policy will fetch user's groups from the given claim<br />within an access token or ID token representing the identity asking permissions.<br />If not defined, user's groups are obtained from your realm configuration.||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicyGroupsItems0
+
+GroupDefinition represents a group in a GroupPolicyData.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**extendChildren**|bool|ExtendChildren is a flag that specifies whether to extend children.||
+|**name** `required`|str|Name is a group name.||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicy
+
+RolePolicy is a role policy settings.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**roles** `required`|[[V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicyRolesItems0](#v1edpepamcomv1keycloakclientspecauthorizationpoliciesitems0rolepolicyrolesitems0)]|Roles is a list of role.||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicyRolesItems0
+
+RoleDefinition represents a role in a RolePolicyData.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**name** `required`|str|Name is a role name.||
+|**required**|bool|Required is a flag that specifies whether the role is required.||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0TimePolicy
+
+ScopePolicy is a scope policy settings.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**dayMonth**|str|Day defines the month which the policy MUST be granted.<br />You can also provide a range by filling the dayMonthEnd field.<br />In this case, permission is granted only if current month is between or equal to the two values you provided.||
+|**dayMonthEnd**|str|day month end||
+|**hour**|str|Hour defines the hour when the policy MUST be granted.<br />You can also provide a range by filling the hourEnd.<br />In this case, permission is granted only if current hour is between or equal to the two values you provided.||
+|**hourEnd**|str|hour end||
+|**minute**|str|Minute defines the minute when the policy MUST be granted.<br />You can also provide a range by filling the minuteEnd field.<br />In this case, permission is granted only if current minute is between or equal to the two values you provided.||
+|**minuteEnd**|str|minute end||
+|**month**|str|Month defines the month which the policy MUST be granted.<br />You can also provide a range by filling the monthEnd.<br />In this case, permission is granted only if current month is between or equal to the two values you provided.||
+|**monthEnd**|str|month end||
+|**notBefore** `required`|str|NotBefore defines the time before which the policy MUST NOT be granted.<br />Only granted if current date/time is after or equal to this value.||
+|**notOnOrAfter** `required`|str|NotOnOrAfter defines the time after which the policy MUST NOT be granted.<br />Only granted if current date/time is before or equal to this value.||
+### V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0UserPolicy
+
+UserPolicy is a user policy settings.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**users** `required`|[str]|Users is a list of usernames. Specifies which user(s) are allowed by this policy.||
+### V1EdpEpamComV1KeycloakClientSpecProtocolMappersItems0
+
+v1 edp epam com v1 keycloak client spec protocol mappers items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**config**|{str:str}|Config is a map of protocol mapper configuration.||
+|**name**|str|Name is a protocol mapper name.||
+|**protocol**|str|||
+|**protocolMapper**|str|ProtocolMapper is a protocol mapper name.||
+### V1EdpEpamComV1KeycloakClientSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakClientSpecRealmRolesItems0
+
+v1 edp epam com v1 keycloak client spec realm roles items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**composite** `required`|str|Composite is a realm composite role name.||
+|**name**|str|Name is a realm role name.||
+### V1EdpEpamComV1KeycloakClientSpecServiceAccount
+
+ServiceAccount is a service account configuration.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**attributes**|{str:str}|Attributes is a map of service account attributes.||
+|**clientRoles**|[[V1EdpEpamComV1KeycloakClientSpecServiceAccountClientRolesItems0](#v1edpepamcomv1keycloakclientspecserviceaccountclientrolesitems0)]|ClientRoles is a list of client roles assigned to service account.||
+|**enabled**|bool|Enabled is a flag to enable service account.||
+|**realmRoles**|[str]|RealmRoles is a list of realm roles assigned to service account.||
+### V1EdpEpamComV1KeycloakClientSpecServiceAccountClientRolesItems0
+
+v1 edp epam com v1 keycloak client spec service account client roles items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**clientId** `required`|str|ClientID is a client ID.||
+|**roles**|[str]|Roles is a list of client roles names assigned to service account.||
+### V1EdpEpamComV1KeycloakClientStatus
+
+KeycloakClientStatus defines the observed state of KeycloakClient.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**clientId**|str|client Id||
+|**failureCount**|int|failure count||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakRealmComponentSpec
+
+KeycloakComponentSpec defines the desired state of KeycloakRealmComponent.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**config**|{str:[str]}|Config is a map of component configuration.<br />Map key is a name of configuration property, map value is an array value of configuration properties.<br />Any configuration property can be a reference to k8s secret, in this case the property should be in format $secretName:secretKey.||
+|**name** `required`|str|Name of keycloak component.||
+|**parentRef**|[V1EdpEpamComV1KeycloakRealmComponentSpecParentRef](#v1edpepamcomv1keycloakrealmcomponentspecparentref)|parent ref||
+|**providerId** `required`|str|ProviderID is a provider ID of component.||
+|**providerType** `required`|str|ProviderType is a provider type of component.||
+|**realm**|str|Deprecated: use RealmRef instead.<br />Realm is name of KeycloakRealm custom resource.||
+|**realmRef**|[V1EdpEpamComV1KeycloakRealmComponentSpecRealmRef](#v1edpepamcomv1keycloakrealmcomponentspecrealmref)|realm ref||
+### V1EdpEpamComV1KeycloakRealmComponentSpecParentRef
+
+ParentRef specifies a parent resource. If not specified, then parent is realm specified in realm field.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "KeycloakRealmComponent"|Kind is a kind of parent component. By default, it is KeycloakRealm.|"KeycloakRealm"|
+|**name** `required`|str|Name is a name of parent component custom resource.<br />For example, if Kind is KeycloakRealm, then Name is name of KeycloakRealm custom resource.||
+### V1EdpEpamComV1KeycloakRealmComponentSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakRealmComponentStatus
+
+KeycloakComponentStatus defines the observed state of KeycloakRealmComponent.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**failureCount**|int|failure count||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakRealmGroupSpec
+
+KeycloakRealmGroupSpec defines the desired state of KeycloakRealmGroup.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**access**|{str:bool}|Access is a map of group access.||
+|**attributes**|{str:[str]}|Attributes is a map of group attributes.||
+|**clientRoles**|[[V1EdpEpamComV1KeycloakRealmGroupSpecClientRolesItems0](#v1edpepamcomv1keycloakrealmgroupspecclientrolesitems0)]|ClientRoles is a list of client roles assigned to group.||
+|**name** `required`|str|Name of keycloak group.||
+|**path**|str|Path is a group path.||
+|**realm**|str|Deprecated: use RealmRef instead.<br />Realm is name of KeycloakRealm custom resource.||
+|**realmRef**|[V1EdpEpamComV1KeycloakRealmGroupSpecRealmRef](#v1edpepamcomv1keycloakrealmgroupspecrealmref)|realm ref||
+|**realmRoles**|[str]|RealmRoles is a list of realm roles assigned to group.||
+|**subGroups**|[str]|SubGroups is a list of subgroups assigned to group.||
+### V1EdpEpamComV1KeycloakRealmGroupSpecClientRolesItems0
+
+v1 edp epam com v1 keycloak realm group spec client roles items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**clientId** `required`|str|ClientID is a client ID.||
+|**roles**|[str]|Roles is a list of client roles names assigned to service account.||
+### V1EdpEpamComV1KeycloakRealmGroupSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakRealmGroupStatus
+
+KeycloakRealmGroupStatus defines the observed state of KeycloakRealmGroup.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**failureCount**|int|failure count||
+|**id**|str|ID is a group ID.||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakRealmIdentityProviderSpec
+
+KeycloakRealmIdentityProviderSpec defines the desired state of KeycloakRealmIdentityProvider.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**addReadTokenRoleOnCreate**|bool|AddReadTokenRoleOnCreate is a flag to add read token role on create.||
+|**alias** `required`|str|Alias is a alias of identity provider.||
+|**authenticateByDefault**|bool|AuthenticateByDefault is a flag to authenticate by default.||
+|**config** `required`|{str:str}|Config is a map of identity provider configuration.<br />Map key is a name of configuration property, map value is a value of configuration property.<br />Any value can be a reference to k8s secret, in this case value should be in format $secretName:secretKey.||
+|**displayName**|str|DisplayName is a display name of identity provider.||
+|**enabled** `required`|bool|Enabled is a flag to enable/disable identity provider.||
+|**firstBrokerLoginFlowAlias**|str|FirstBrokerLoginFlowAlias is a first broker login flow alias.||
+|**linkOnly**|bool|LinkOnly is a flag to link only.||
+|**mappers**|[[V1EdpEpamComV1KeycloakRealmIdentityProviderSpecMappersItems0](#v1edpepamcomv1keycloakrealmidentityproviderspecmappersitems0)]|Mappers is a list of identity provider mappers.||
+|**providerId** `required`|str|ProviderID is a provider ID of identity provider.||
+|**realm**|str|Deprecated: use RealmRef instead.<br />Realm is name of KeycloakRealm custom resource.||
+|**realmRef**|[V1EdpEpamComV1KeycloakRealmIdentityProviderSpecRealmRef](#v1edpepamcomv1keycloakrealmidentityproviderspecrealmref)|realm ref||
+|**storeToken**|bool|StoreToken is a flag to store token.||
+|**trustEmail**|bool|TrustEmail is a flag to trust email.||
+### V1EdpEpamComV1KeycloakRealmIdentityProviderSpecMappersItems0
+
+v1 edp epam com v1 keycloak realm identity provider spec mappers items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**config**|{str:str}|Config is a map of identity provider mapper configuration.||
+|**identityProviderAlias**|str|IdentityProviderAlias is a identity provider alias.||
+|**identityProviderMapper**|str|IdentityProviderMapper is a identity provider mapper.||
+|**name**|str|Name is a name of identity provider mapper.||
+### V1EdpEpamComV1KeycloakRealmIdentityProviderSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakRealmIdentityProviderStatus
+
+KeycloakRealmIdentityProviderStatus defines the observed state of KeycloakRealmIdentityProvider.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**failureCount**|int|failure count||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakRealmRoleBatchSpec
+
+KeycloakRealmRoleBatchSpec defines the desired state of KeycloakRealmRoleBatch.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**realm**|str|Deprecated: use RealmRef instead.<br />Realm is name of KeycloakRealm custom resource.||
+|**realmRef**|[V1EdpEpamComV1KeycloakRealmRoleBatchSpecRealmRef](#v1edpepamcomv1keycloakrealmrolebatchspecrealmref)|realm ref||
+|**roles** `required`|[[V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0](#v1edpepamcomv1keycloakrealmrolebatchspecrolesitems0)]|Roles is a list of roles to be created.||
+### V1EdpEpamComV1KeycloakRealmRoleBatchSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0
+
+v1 edp epam com v1 keycloak realm role batch spec roles items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**attributes**|{str:[str]}|Attributes is a map of role attributes.||
+|**composite**|bool|Composite is a flag if role is composite.||
+|**composites**|[[V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0CompositesItems0](#v1edpepamcomv1keycloakrealmrolebatchspecrolesitems0compositesitems0)]|Composites is a list of composites roles assigned to role.||
+|**description**|str|Description is a role description.||
+|**isDefault**|bool|IsDefault is a flag if role is default.||
+|**name** `required`|str|Name of keycloak role.||
+### V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0CompositesItems0
+
+v1 edp epam com v1 keycloak realm role batch spec roles items0 composites items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**name** `required`|str|Name is a name of composite role.||
+### V1EdpEpamComV1KeycloakRealmRoleBatchStatus
+
+KeycloakRealmRoleBatchStatus defines the observed state of KeycloakRealmRoleBatch.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**failureCount**|int|failure count||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakRealmRoleSpec
+
+KeycloakRealmRoleSpec defines the desired state of KeycloakRealmRole.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**attributes**|{str:[str]}|Attributes is a map of role attributes.||
+|**composite**|bool|Composite is a flag if role is composite.||
+|**composites**|[[V1EdpEpamComV1KeycloakRealmRoleSpecCompositesItems0](#v1edpepamcomv1keycloakrealmrolespeccompositesitems0)]|Composites is a list of composites roles assigned to role.||
+|**compositesClientRoles**|{str:[[V1EdpEpamComV1KeycloakRealmRoleSpecCompositesClientRolesItems0](#v1edpepamcomv1keycloakrealmrolespeccompositesclientrolesitems0)]}|CompositesClientRoles is a map of composites client roles assigned to role.||
+|**description**|str|Description is a role description.||
+|**isDefault**|bool|IsDefault is a flag if role is default.||
+|**name** `required`|str|Name of keycloak role.||
+|**realm**|str|Deprecated: use RealmRef instead.<br />Realm is name of KeycloakRealm custom resource.||
+|**realmRef**|[V1EdpEpamComV1KeycloakRealmRoleSpecRealmRef](#v1edpepamcomv1keycloakrealmrolespecrealmref)|realm ref||
+### V1EdpEpamComV1KeycloakRealmRoleSpecCompositesClientRolesItems0
+
+v1 edp epam com v1 keycloak realm role spec composites client roles items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**name** `required`|str|Name is a name of composite role.||
+### V1EdpEpamComV1KeycloakRealmRoleSpecCompositesItems0
+
+v1 edp epam com v1 keycloak realm role spec composites items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**name** `required`|str|Name is a name of composite role.||
+### V1EdpEpamComV1KeycloakRealmRoleSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakRealmRoleStatus
+
+KeycloakRealmRoleStatus defines the observed state of KeycloakRealmRole.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**failureCount**|int|failure count||
+|**id**|str|ID is a role ID.||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakRealmSpec
+
+KeycloakRealmSpec defines the desired state of KeycloakRealm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**browserFlow**|str|BrowserFlow specifies the authentication flow to use for the realm's browser clients.||
+|**browserSecurityHeaders**|{str:str}|BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients.||
+|**displayHtmlName**|str|DisplayHTMLName name to render in the UI||
+|**displayName**|str|DisplayName is the display name of the realm.||
+|**frontendUrl**|str|FrontendURL Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.||
+|**id**|str|ID is the ID of the realm.||
+|**keycloakOwner**|str|Deprecated: use KeycloakRef instead.<br />KeycloakOwner specifies the name of the Keycloak instance that owns the realm.||
+|**keycloakRef**|[V1EdpEpamComV1KeycloakRealmSpecKeycloakRef](#v1edpepamcomv1keycloakrealmspeckeycloakref)|keycloak ref||
+|**passwordPolicy**|[[V1EdpEpamComV1KeycloakRealmSpecPasswordPolicyItems0](#v1edpepamcomv1keycloakrealmspecpasswordpolicyitems0)]|PasswordPolicies is a list of password policies to apply to the realm.||
+|**realmEventConfig**|[V1EdpEpamComV1KeycloakRealmSpecRealmEventConfig](#v1edpepamcomv1keycloakrealmspecrealmeventconfig)|realm event config||
+|**realmName** `required`|str|RealmName specifies the name of the realm.||
+|**themes**|[V1EdpEpamComV1KeycloakRealmSpecThemes](#v1edpepamcomv1keycloakrealmspecthemes)|themes||
+|**tokenSettings**|[V1EdpEpamComV1KeycloakRealmSpecTokenSettings](#v1edpepamcomv1keycloakrealmspectokensettings)|token settings||
+|**users**|[[V1EdpEpamComV1KeycloakRealmSpecUsersItems0](#v1edpepamcomv1keycloakrealmspecusersitems0)]|Users is a list of users to create in the realm.||
+### V1EdpEpamComV1KeycloakRealmSpecKeycloakRef
+
+KeycloakRef is reference to Keycloak custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"Keycloak" | "ClusterKeycloak"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakRealmSpecPasswordPolicyItems0
+
+v1 edp epam com v1 keycloak realm spec password policy items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**type** `required`|str|||
+|**value** `required`|str|Value of password policy.||
+### V1EdpEpamComV1KeycloakRealmSpecRealmEventConfig
+
+RealmEventConfig is the configuration for events in the realm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**adminEventsDetailsEnabled**|bool|AdminEventsDetailsEnabled indicates whether to enable detailed admin events.||
+|**adminEventsEnabled**|bool|AdminEventsEnabled indicates whether to enable admin events.||
+|**enabledEventTypes**|[str]|EnabledEventTypes is a list of event types to enable.||
+|**eventsEnabled**|bool|EventsEnabled indicates whether to enable events.||
+|**eventsExpiration**|int|EventsExpiration is the number of seconds after which events expire.||
+|**eventsListeners**|[str]|EventsListeners is a list of event listeners to enable.||
+### V1EdpEpamComV1KeycloakRealmSpecThemes
+
+Themes is a map of themes to apply to the realm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**accountTheme**|str|AccountTheme specifies the account theme to use for the realm.||
+|**adminConsoleTheme**|str|AdminConsoleTheme specifies the admin console theme to use for the realm.||
+|**emailTheme**|str|EmailTheme specifies the email theme to use for the realm.||
+|**internationalizationEnabled**|bool|InternationalizationEnabled indicates whether to enable internationalization.||
+|**loginTheme**|str|LoginTheme specifies the login theme to use for the realm.||
+### V1EdpEpamComV1KeycloakRealmSpecTokenSettings
+
+TokenSettings is the configuration for tokens in the realm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**accessCodeLifespan**|int|AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.<br />This should normally be 1 minute.|60|
+|**accessToken**|int|AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow.|900|
+|**accessTokenLifespan**|int|AccessTokenLifespan specifies max time(in seconds) before an access token is expired.<br />This value is recommended to be short relative to the SSO timeout.|300|
+|**actionTokenGeneratedByAdminLifespan**|int|ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.<br />This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.<br />The default timeout can be overridden immediately before issuing the token.|43200|
+|**actionTokenGeneratedByUserLifespan**|int|AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.<br />This value is recommended to be short because it's expected that the user would react to self-created action quickly.|300|
+|**defaultSignatureAlgorithm**|"ES256" | "ES384" | "ES512" | "EdDSA" | "HS256" | "HS384" | "HS512" | "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512"|DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm|"RS256"|
+|**refreshTokenMaxReuse**|int|RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.<br />When a different token is used, revocation is immediate.|0|
+|**revokeRefreshToken**|bool|RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and<br />is revoked when a different token is used.<br />Otherwise, refresh tokens are not revoked when used and can be used multiple times.|False|
+### V1EdpEpamComV1KeycloakRealmSpecUsersItems0
+
+v1 edp epam com v1 keycloak realm spec users items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**realmRoles**|[str]|RealmRoles is a list of roles attached to keycloak user.||
+|**username** `required`|str|Username of keycloak user.||
+### V1EdpEpamComV1KeycloakRealmStatus
+
+KeycloakRealmStatus defines the observed state of KeycloakRealm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**available**|bool|available||
+|**failureCount**|int|failure count||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakRealmUserSpec
+
+KeycloakRealmUserSpec defines the desired state of KeycloakRealmUser.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**attributes**|{str:str}|Attributes is a map of user attributes.||
+|**email**|str|Email is a user email.||
+|**emailVerified**|bool|EmailVerified is a user email verified flag.||
+|**enabled**|bool|Enabled is a user enabled flag.||
+|**firstName**|str|FirstName is a user first name.||
+|**groups**|[str]|Groups is a list of groups assigned to user.||
+|**keepResource**|bool|KeepResource, when set to false, results in the deletion of the KeycloakRealmUser Custom Resource (CR)<br />from the cluster after the corresponding user is created in Keycloak. The user will continue to exist in Keycloak.<br />When set to true, the CR will not be deleted after processing.|True|
+|**lastName**|str|LastName is a user last name.||
+|**password**|str|Password is a user password. Allows to keep user password within Custom Resource. For security concerns, it is recommended to use PasswordSecret instead.||
+|**passwordSecret**|[V1EdpEpamComV1KeycloakRealmUserSpecPasswordSecret](#v1edpepamcomv1keycloakrealmuserspecpasswordsecret)|password secret||
+|**realm**|str|Deprecated: use RealmRef instead.<br />Realm is name of KeycloakRealm custom resource.||
+|**realmRef**|[V1EdpEpamComV1KeycloakRealmUserSpecRealmRef](#v1edpepamcomv1keycloakrealmuserspecrealmref)|realm ref||
+|**reconciliationStrategy**|str|ReconciliationStrategy is a strategy for reconciliation. Possible values: full, create-only.<br />Default value: full. If set to create-only, user will be created only if it does not exist. If user exists, it will not be updated.<br />If set to full, user will be created if it does not exist, or updated if it exists.||
+|**requiredUserActions**|[str]|RequiredUserActions is required action when user log in, example: CONFIGURE_TOTP, UPDATE_PASSWORD, UPDATE_PROFILE, VERIFY_EMAIL.||
+|**roles**|[str]|Roles is a list of roles assigned to user.||
+|**username** `required`|str|Username is a username in keycloak.||
+### V1EdpEpamComV1KeycloakRealmUserSpecPasswordSecret
+
+PasswordSecret defines Kubernetes secret Name and Key, which holds User secret.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**key** `required`|str|Key is the key in the secret.||
+|**name** `required`|str|Name is the name of the secret.||
+### V1EdpEpamComV1KeycloakRealmUserSpecRealmRef
+
+RealmRef is reference to Realm custom resource.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**kind**|"KeycloakRealm" | "ClusterKeycloakRealm"|Kind specifies the kind of the Keycloak resource.||
+|**name**|str|Name specifies the name of the Keycloak resource.||
+### V1EdpEpamComV1KeycloakRealmUserStatus
+
+KeycloakRealmUserStatus defines the observed state of KeycloakRealmUser.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**failureCount**|int|failure count||
+|**value**|str|value||
+### V1EdpEpamComV1KeycloakSpec
+
+KeycloakSpec defines the desired state of Keycloak.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**adminType**|"serviceAccount" | "user"|AdminType can be user or serviceAccount, if serviceAccount was specified, then client_credentials grant type should be used for getting admin realm token.||
+|**caCert**|[V1EdpEpamComV1KeycloakSpecCaCert](#v1edpepamcomv1keycloakspeccacert)|ca cert||
+|**insecureSkipVerify**|bool|InsecureSkipVerify controls whether api client verifies the server's<br />certificate chain and host name. If InsecureSkipVerify is true, api client<br />accepts any certificate presented by the server and any host name in that<br />certificate.||
+|**secret** `required`|str|Secret is a secret name which contains admin credentials.||
+|**url** `required`|str|URL of keycloak service.||
+### V1EdpEpamComV1KeycloakSpecCaCert
+
+CACert defines the root certificate authority that api client use when verifying server certificates.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**configMapKeyRef**|[V1EdpEpamComV1KeycloakSpecCaCertConfigMapKeyRef](#v1edpepamcomv1keycloakspeccacertconfigmapkeyref)|config map key ref||
+|**secretKeyRef**|[V1EdpEpamComV1KeycloakSpecCaCertSecretKeyRef](#v1edpepamcomv1keycloakspeccacertsecretkeyref)|secret key ref||
+### V1EdpEpamComV1KeycloakSpecCaCertConfigMapKeyRef
+
+Selects a key of a ConfigMap.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**key** `required`|str|The key to select.||
+|**name**|str|Name of the referent.<br />More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names<br />TODO: Add other useful fields. apiVersion, kind, uid?||
+### V1EdpEpamComV1KeycloakSpecCaCertSecretKeyRef
+
+Selects a key of a secret.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**key** `required`|str|The key of the secret to select from.||
+|**name**|str|Name of the referent.<br />More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names<br />TODO: Add other useful fields. apiVersion, kind, uid?||
+### V1EdpEpamComV1KeycloakStatus
+
+KeycloakStatus defines the observed state of Keycloak.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**connected** `required`|bool|Connected shows if keycloak service is up and running.||
+### ClusterKeycloak
+
+ClusterKeycloak is the Schema for the clusterkeycloaks API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1alpha1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1alpha1"|
+|**kind** `required` `readOnly`|"ClusterKeycloak"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"ClusterKeycloak"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1alpha1ClusterKeycloakSpec](#v1edpepamcomv1alpha1clusterkeycloakspec)|spec||
+|**status**|[V1EdpEpamComV1alpha1ClusterKeycloakStatus](#v1edpepamcomv1alpha1clusterkeycloakstatus)|status||
+### ClusterKeycloakRealm
+
+ClusterKeycloakRealm is the Schema for the clusterkeycloakrealms API.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**apiVersion** `required` `readOnly`|"v1.edp.epam.com/v1alpha1"|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|"v1.edp.epam.com/v1alpha1"|
+|**kind** `required` `readOnly`|"ClusterKeycloakRealm"|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|"ClusterKeycloakRealm"|
+|**metadata**|[ObjectMeta](#objectmeta)|metadata||
+|**spec**|[V1EdpEpamComV1alpha1ClusterKeycloakRealmSpec](#v1edpepamcomv1alpha1clusterkeycloakrealmspec)|spec||
+|**status**|[V1EdpEpamComV1alpha1ClusterKeycloakRealmStatus](#v1edpepamcomv1alpha1clusterkeycloakrealmstatus)|status||
+### V1EdpEpamComV1alpha1ClusterKeycloakRealmSpec
+
+ClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**authenticationFlows**|[V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecAuthenticationFlows](#v1edpepamcomv1alpha1clusterkeycloakrealmspecauthenticationflows)|authentication flows||
+|**browserSecurityHeaders**|{str:str}|BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients.||
+|**clusterKeycloakRef** `required`|str|ClusterKeycloakRef is a name of the ClusterKeycloak instance that owns the realm.||
+|**displayHtmlName**|str|DisplayHTMLName name to render in the UI.||
+|**displayName**|str|DisplayName is the display name of the realm.||
+|**frontendUrl**|str|FrontendURL Set the frontend URL for the realm.<br />Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.||
+|**localization**|[V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecLocalization](#v1edpepamcomv1alpha1clusterkeycloakrealmspeclocalization)|localization||
+|**passwordPolicy**|[[V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecPasswordPolicyItems0](#v1edpepamcomv1alpha1clusterkeycloakrealmspecpasswordpolicyitems0)]|PasswordPolicies is a list of password policies to apply to the realm.||
+|**realmEventConfig**|[V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecRealmEventConfig](#v1edpepamcomv1alpha1clusterkeycloakrealmspecrealmeventconfig)|realm event config||
+|**realmName** `required`|str|RealmName specifies the name of the realm.||
+|**themes**|[V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecThemes](#v1edpepamcomv1alpha1clusterkeycloakrealmspecthemes)|themes||
+|**tokenSettings**|[V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecTokenSettings](#v1edpepamcomv1alpha1clusterkeycloakrealmspectokensettings)|token settings||
+### V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecAuthenticationFlows
+
+AuthenticationFlow is the configuration for authentication flows in the realm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**browserFlow**|str|BrowserFlow specifies the authentication flow to use for the realm's browser clients.||
+### V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecLocalization
+
+Localization is the configuration for localization in the realm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**internationalizationEnabled**|bool|InternationalizationEnabled indicates whether to enable internationalization.||
+### V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecPasswordPolicyItems0
+
+v1 edp epam com v1alpha1 cluster keycloak realm spec password policy items0
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**type** `required`|str|||
+|**value** `required`|str|Value of password policy.||
+### V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecRealmEventConfig
+
+RealmEventConfig is the configuration for events in the realm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**adminEventsDetailsEnabled**|bool|AdminEventsDetailsEnabled indicates whether to enable detailed admin events.||
+|**adminEventsEnabled**|bool|AdminEventsEnabled indicates whether to enable admin events.||
+|**enabledEventTypes**|[str]|EnabledEventTypes is a list of event types to enable.||
+|**eventsEnabled**|bool|EventsEnabled indicates whether to enable events.||
+|**eventsExpiration**|int|EventsExpiration is the number of seconds after which events expire.||
+|**eventsListeners**|[str]|EventsListeners is a list of event listeners to enable.||
+### V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecThemes
+
+Themes is a map of themes to apply to the realm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**accountTheme**|str|AccountTheme specifies the account theme to use for the realm.||
+|**adminConsoleTheme**|str|AdminConsoleTheme specifies the admin console theme to use for the realm.||
+|**emailTheme**|str|EmailTheme specifies the email theme to use for the realm.||
+|**loginTheme**|str|LoginTheme specifies the login theme to use for the realm.||
+### V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecTokenSettings
+
+TokenSettings is the configuration for tokens in the realm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**accessCodeLifespan**|int|AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.<br />This should normally be 1 minute.|60|
+|**accessToken**|int|AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow.|900|
+|**accessTokenLifespan**|int|AccessTokenLifespan specifies max time(in seconds) before an access token is expired.<br />This value is recommended to be short relative to the SSO timeout.|300|
+|**actionTokenGeneratedByAdminLifespan**|int|ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.<br />This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.<br />The default timeout can be overridden immediately before issuing the token.|43200|
+|**actionTokenGeneratedByUserLifespan**|int|AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.<br />This value is recommended to be short because it's expected that the user would react to self-created action quickly.|300|
+|**defaultSignatureAlgorithm**|"ES256" | "ES384" | "ES512" | "EdDSA" | "HS256" | "HS384" | "HS512" | "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512"|DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm|"RS256"|
+|**refreshTokenMaxReuse**|int|RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.<br />When a different token is used, revocation is immediate.|0|
+|**revokeRefreshToken**|bool|RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and<br />is revoked when a different token is used.<br />Otherwise, refresh tokens are not revoked when used and can be used multiple times.|False|
+### V1EdpEpamComV1alpha1ClusterKeycloakRealmStatus
+
+ClusterKeycloakRealmStatus defines the observed state of ClusterKeycloakRealm.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**available**|bool|available||
+|**failureCount**|int|failure count||
+|**value**|str|value||
+### V1EdpEpamComV1alpha1ClusterKeycloakSpec
+
+ClusterKeycloakSpec defines the desired state of ClusterKeycloak.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**adminType**|"serviceAccount" | "user"|AdminType can be user or serviceAccount, if serviceAccount was specified,<br />then client_credentials grant type should be used for getting admin realm token.|"user"|
+|**caCert**|[V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCert](#v1edpepamcomv1alpha1clusterkeycloakspeccacert)|ca cert||
+|**insecureSkipVerify**|bool|InsecureSkipVerify controls whether api client verifies the server's<br />certificate chain and host name. If InsecureSkipVerify is true, api client<br />accepts any certificate presented by the server and any host name in that<br />certificate.||
+|**secret** `required`|str|Secret is a secret name which contains admin credentials.||
+|**url** `required`|str|URL of keycloak service.||
+### V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCert
+
+CACert defines the root certificate authority that api clients use when verifying server certificates. Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**configMapKeyRef**|[V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertConfigMapKeyRef](#v1edpepamcomv1alpha1clusterkeycloakspeccacertconfigmapkeyref)|config map key ref||
+|**secretKeyRef**|[V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertSecretKeyRef](#v1edpepamcomv1alpha1clusterkeycloakspeccacertsecretkeyref)|secret key ref||
+### V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertConfigMapKeyRef
+
+Selects a key of a ConfigMap.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**key** `required`|str|The key to select.||
+|**name**|str|Name of the referent.<br />More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names<br />TODO: Add other useful fields. apiVersion, kind, uid?||
+### V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertSecretKeyRef
+
+Selects a key of a secret.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**key** `required`|str|The key of the secret to select from.||
+|**name**|str|Name of the referent.<br />More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names<br />TODO: Add other useful fields. apiVersion, kind, uid?||
+### V1EdpEpamComV1alpha1ClusterKeycloakStatus
+
+ClusterKeycloakStatus defines the observed state of ClusterKeycloak.
+
+#### Attributes
+
+| name | type | description | default value |
+| --- | --- | --- | --- |
+|**connected** `required`|bool|Connected shows if keycloak service is up and running.||
+<!-- Auto generated by kcl-doc tool, please do not edit. -->
diff --git a/edp-keycloak-operator/crds/edp-keycloak-operator.yaml b/edp-keycloak-operator/crds/edp-keycloak-operator.yaml
new file mode 100644
index 00000000..d9abb817
--- /dev/null
+++ b/edp-keycloak-operator/crds/edp-keycloak-operator.yaml
@@ -0,0 +1,2577 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloaks.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: Keycloak
+    listKind: KeycloakList
+    plural: keycloaks
+    singular: keycloak
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Is connected to keycloak
+      jsonPath: .status.connected
+      name: Connected
+      type: boolean
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: Keycloak is the Schema for the keycloaks API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakSpec defines the desired state of Keycloak.
+            properties:
+              adminType:
+                description: AdminType can be user or serviceAccount, if serviceAccount
+                  was specified, then client_credentials grant type should be used
+                  for getting admin realm token.
+                enum:
+                - serviceAccount
+                - user
+                type: string
+              caCert:
+                description: |-
+                  CACert defines the root certificate authority
+                  that api client use when verifying server certificates.
+                properties:
+                  configMapKeyRef:
+                    description: Selects a key of a ConfigMap.
+                    properties:
+                      key:
+                        description: The key to select.
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?
+                        type: string
+                    required:
+                    - key
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  secretKeyRef:
+                    description: Selects a key of a secret.
+                    properties:
+                      key:
+                        description: The key of the secret to select from.
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?
+                        type: string
+                    required:
+                    - key
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+              insecureSkipVerify:
+                description: |-
+                  InsecureSkipVerify controls whether api client verifies the server's
+                  certificate chain and host name. If InsecureSkipVerify is true, api client
+                  accepts any certificate presented by the server and any host name in that
+                  certificate.
+                type: boolean
+              secret:
+                description: Secret is a secret name which contains admin credentials.
+                type: string
+              url:
+                description: URL of keycloak service.
+                type: string
+            required:
+            - secret
+            - url
+            type: object
+          status:
+            default:
+              connected: false
+            description: KeycloakStatus defines the observed state of Keycloak.
+            properties:
+              connected:
+                description: Connected shows if keycloak service is up and running.
+                type: boolean
+            required:
+            - connected
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakauthflows.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakAuthFlow
+    listKind: KeycloakAuthFlowList
+    plural: keycloakauthflows
+    singular: keycloakauthflow
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakAuthFlow is the Schema for the keycloak authentication
+          flow API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow.
+            properties:
+              alias:
+                description: Alias is display name for authentication flow.
+                type: string
+              authenticationExecutions:
+                description: AuthenticationExecutions is list of authentication executions
+                  for this auth flow.
+                items:
+                  description: AuthenticationExecution defines keycloak authentication
+                    execution.
+                  properties:
+                    alias:
+                      description: Alias is display name for this execution.
+                      type: string
+                    authenticator:
+                      description: Authenticator is name of authenticator.
+                      type: string
+                    authenticatorConfig:
+                      description: AuthenticatorConfig is configuration for authenticator.
+                      nullable: true
+                      properties:
+                        alias:
+                          description: Alias is display name for authenticator config.
+                          type: string
+                        config:
+                          additionalProperties:
+                            type: string
+                          description: Config is configuration for authenticator.
+                          type: object
+                      type: object
+                    authenticatorFlow:
+                      description: AuthenticatorFlow is true if this is auth flow.
+                      type: boolean
+                    priority:
+                      description: Priority is priority for this execution. Lower
+                        values have higher priority.
+                      type: integer
+                    requirement:
+                      description: 'Requirement is requirement for this execution.
+                        Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.'
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              builtIn:
+                description: BuiltIn is true if this is built-in auth flow.
+                type: boolean
+              childRequirement:
+                description: 'ChildRequirement is requirement for child execution.
+                  Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.'
+                type: string
+              childType:
+                description: 'ChildType is type for auth flow if it has a parent,
+                  available options: basic-flow, form-flow'
+                type: string
+              description:
+                description: Description is description for authentication flow.
+                type: string
+              parentName:
+                description: ParentName is name of parent auth flow.
+                type: string
+              providerId:
+                description: ProviderID for root auth flow and provider for child
+                  auth flows.
+                type: string
+              realm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  Realm is name of KeycloakRealm custom resource.
+                type: string
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+              topLevel:
+                description: TopLevel is true if this is root auth flow.
+                type: boolean
+            required:
+            - alias
+            - builtIn
+            - providerId
+            - topLevel
+            type: object
+          status:
+            description: KeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow.
+            properties:
+              failureCount:
+                format: int64
+                type: integer
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakclients.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakClient
+    listKind: KeycloakClientList
+    plural: keycloakclients
+    singular: keycloakclient
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakClient is the Schema for the keycloak clients API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakClientSpec defines the desired state of KeycloakClient.
+            properties:
+              advancedProtocolMappers:
+                description: AdvancedProtocolMappers is a flag to enable advanced
+                  protocol mappers.
+                type: boolean
+              attributes:
+                additionalProperties:
+                  type: string
+                default:
+                  post.logout.redirect.uris: +
+                description: Attributes is a map of client attributes.
+                nullable: true
+                type: object
+              authorization:
+                description: Authorization is a client authorization configuration.
+                nullable: true
+                properties:
+                  permissions:
+                    items:
+                      properties:
+                        decisionStrategy:
+                          default: UNANIMOUS
+                          description: DecisionStrategy is a permission decision strategy.
+                          enum:
+                          - UNANIMOUS
+                          - AFFIRMATIVE
+                          - CONSENSUS
+                          type: string
+                        description:
+                          description: Description is a permission description.
+                          type: string
+                        logic:
+                          default: POSITIVE
+                          description: Logic is a permission logic.
+                          enum:
+                          - POSITIVE
+                          - NEGATIVE
+                          type: string
+                        name:
+                          description: Name is a permission name.
+                          type: string
+                        policies:
+                          description: |-
+                            Policies is a list of policies names.
+                            Specifies all the policies that must be applied to the scopes defined by this policy or permission.
+                          example:
+                          - policy1
+                          - policy2
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: |-
+                            Resources is a list of resources names.
+                            Specifies that this permission must be applied to all resource instances of a given type.
+                          example:
+                          - resource1
+                          - resource2
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        scopes:
+                          description: |-
+                            Scopes is a list of authorization scopes names.
+                            Specifies that this permission must be applied to one or more scopes.
+                          example:
+                          - scope1
+                          - scope2
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        type:
+                          description: Type is a permission type.
+                          enum:
+                          - resource
+                          - scope
+                          type: string
+                      required:
+                      - name
+                      - type
+                      type: object
+                    type: array
+                  policies:
+                    items:
+                      description: Policy represents a client authorization policy.
+                      properties:
+                        aggregatedPolicy:
+                          description: AggregatedPolicy is an aggregated policy settings.
+                          properties:
+                            policies:
+                              description: |-
+                                Policies is a list of aggregated policies names.
+                                Specifies all the policies that must be applied to the scopes defined by this policy or permission.
+                              example:
+                                policies:
+                                - policy1
+                                - policy2
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - policies
+                          type: object
+                        clientPolicy:
+                          description: ClientPolicy is a client policy settings.
+                          properties:
+                            clients:
+                              description: Clients is a list of client names. Specifies
+                                which client(s) are allowed by this policy.
+                              example:
+                              - clients1
+                              - clients2
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - clients
+                          type: object
+                        decisionStrategy:
+                          default: UNANIMOUS
+                          description: DecisionStrategy is a policy decision strategy.
+                          enum:
+                          - UNANIMOUS
+                          - AFFIRMATIVE
+                          - CONSENSUS
+                          type: string
+                        description:
+                          description: Description is a policy description.
+                          type: string
+                        groupPolicy:
+                          description: GroupPolicy is a group policy settings.
+                          properties:
+                            groups:
+                              description: Groups is a list of group names. Specifies
+                                which group(s) are allowed by this policy.
+                              example: '{"groups":[{"name":"group1","extendChildren":true},{"name":"group2"}]}'
+                              items:
+                                description: GroupDefinition represents a group in
+                                  a GroupPolicyData.
+                                properties:
+                                  extendChildren:
+                                    description: ExtendChildren is a flag that specifies
+                                      whether to extend children.
+                                    type: boolean
+                                  name:
+                                    description: Name is a group name.
+                                    example: group1
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                              type: array
+                            groupsClaim:
+                              description: |-
+                                GroupsClaim is a group claim.
+                                If defined, the policy will fetch user's groups from the given claim
+                                within an access token or ID token representing the identity asking permissions.
+                                If not defined, user's groups are obtained from your realm configuration.
+                              type: string
+                          type: object
+                        logic:
+                          default: POSITIVE
+                          description: Logic is a policy logic.
+                          enum:
+                          - POSITIVE
+                          - NEGATIVE
+                          type: string
+                        name:
+                          description: Name is a policy name.
+                          type: string
+                        rolePolicy:
+                          description: RolePolicy is a role policy settings.
+                          properties:
+                            roles:
+                              description: Roles is a list of role.
+                              example:
+                                roles:
+                                - name: role1
+                                  required: true
+                                - name: role2
+                              items:
+                                description: RoleDefinition represents a role in a
+                                  RolePolicyData.
+                                properties:
+                                  name:
+                                    description: Name is a role name.
+                                    example: role1
+                                    type: string
+                                  required:
+                                    description: Required is a flag that specifies
+                                      whether the role is required.
+                                    type: boolean
+                                required:
+                                - name
+                                type: object
+                              type: array
+                          required:
+                          - roles
+                          type: object
+                        timePolicy:
+                          description: ScopePolicy is a scope policy settings.
+                          properties:
+                            dayMonth:
+                              description: |-
+                                Day defines the month which the policy MUST be granted.
+                                You can also provide a range by filling the dayMonthEnd field.
+                                In this case, permission is granted only if current month is between or equal to the two values you provided.
+                              example: "1"
+                              type: string
+                            dayMonthEnd:
+                              example: "2"
+                              type: string
+                            hour:
+                              description: |-
+                                Hour defines the hour when the policy MUST be granted.
+                                You can also provide a range by filling the hourEnd.
+                                In this case, permission is granted only if current hour is between or equal to the two values you provided.
+                              example: "1"
+                              type: string
+                            hourEnd:
+                              example: "2"
+                              type: string
+                            minute:
+                              description: |-
+                                Minute defines the minute when the policy MUST be granted.
+                                You can also provide a range by filling the minuteEnd field.
+                                In this case, permission is granted only if current minute is between or equal to the two values you provided.
+                              example: "1"
+                              type: string
+                            minuteEnd:
+                              example: "2"
+                              type: string
+                            month:
+                              description: |-
+                                Month defines the month which the policy MUST be granted.
+                                You can also provide a range by filling the monthEnd.
+                                In this case, permission is granted only if current month is between or equal to the two values you provided.
+                              example: "1"
+                              type: string
+                            monthEnd:
+                              example: "2"
+                              type: string
+                            notBefore:
+                              description: |-
+                                NotBefore defines the time before which the policy MUST NOT be granted.
+                                Only granted if current date/time is after or equal to this value.
+                              example: "2024-03-03 00:00:00"
+                              type: string
+                            notOnOrAfter:
+                              description: |-
+                                NotOnOrAfter defines the time after which the policy MUST NOT be granted.
+                                Only granted if current date/time is before or equal to this value.
+                              example: "2024-04-04 00:00:00"
+                              type: string
+                          required:
+                          - notBefore
+                          - notOnOrAfter
+                          type: object
+                        type:
+                          description: Type is a policy type.
+                          enum:
+                          - aggregate
+                          - client
+                          - group
+                          - role
+                          - time
+                          - user
+                          type: string
+                        userPolicy:
+                          description: UserPolicy is a user policy settings.
+                          properties:
+                            users:
+                              description: Users is a list of usernames. Specifies
+                                which user(s) are allowed by this policy.
+                              example:
+                              - users1
+                              - users2
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - users
+                          type: object
+                      required:
+                      - name
+                      - type
+                      type: object
+                    type: array
+                  scopes:
+                    items:
+                      type: string
+                    type: array
+                type: object
+              authorizationServicesEnabled:
+                description: ServiceAccountsEnabled enable/disable fine-grained authorization
+                  support for a client.
+                type: boolean
+              bearerOnly:
+                description: BearerOnly is a flag to enable bearer-only.
+                type: boolean
+              clientAuthenticatorType:
+                default: client-secret
+                description: ClientAuthenticatorType is a client authenticator type.
+                type: string
+              clientId:
+                description: ClientId is a unique keycloak client ID referenced in
+                  URI and tokens.
+                type: string
+              clientRoles:
+                description: ClientRoles is a list of client roles names assigned
+                  to client.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              consentRequired:
+                description: ConsentRequired is a flag to enable consent.
+                type: boolean
+              defaultClientScopes:
+                description: DefaultClientScopes is a list of default client scopes
+                  assigned to client.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              description:
+                description: Description is a client description.
+                type: string
+              directAccess:
+                description: DirectAccess is a flag to set client as direct access.
+                type: boolean
+              enabled:
+                default: true
+                description: Enabled is a flag to enable client.
+                type: boolean
+              frontChannelLogout:
+                description: FrontChannelLogout is a flag to enable front channel
+                  logout.
+                type: boolean
+              fullScopeAllowed:
+                default: true
+                description: FullScopeAllowed is a flag to enable full scope.
+                type: boolean
+              implicitFlowEnabled:
+                description: ImplicitFlowEnabled is a flag to enable support for OpenID
+                  Connect redirect based authentication without authorization code.
+                type: boolean
+              name:
+                description: Name is a client name.
+                type: string
+              optionalClientScopes:
+                description: OptionalClientScopes is a list of optional client scopes
+                  assigned to client.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              protocol:
+                description: Protocol is a client protocol.
+                nullable: true
+                type: string
+              protocolMappers:
+                description: ProtocolMappers is a list of protocol mappers assigned
+                  to client.
+                items:
+                  properties:
+                    config:
+                      additionalProperties:
+                        type: string
+                      description: Config is a map of protocol mapper configuration.
+                      nullable: true
+                      type: object
+                    name:
+                      description: Name is a protocol mapper name.
+                      type: string
+                    protocol:
+                      description: Protocol is a protocol name.
+                      type: string
+                    protocolMapper:
+                      description: ProtocolMapper is a protocol mapper name.
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              public:
+                description: Public is a flag to set client as public.
+                type: boolean
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+              realmRoles:
+                description: RealmRoles is a list of realm roles assigned to client.
+                items:
+                  properties:
+                    composite:
+                      description: Composite is a realm composite role name.
+                      type: string
+                    name:
+                      description: Name is a realm role name.
+                      type: string
+                  required:
+                  - composite
+                  type: object
+                nullable: true
+                type: array
+              reconciliationStrategy:
+                description: ReconciliationStrategy is a strategy to reconcile client.
+                enum:
+                - full
+                - addOnly
+                type: string
+              redirectUris:
+                description: |-
+                  RedirectUris is a list of valid URI pattern a browser can redirect to after a successful login.
+                  Simple wildcards are allowed such as 'https://example.com/*'.
+                  Relative path can be specified too, such as /my/relative/path/*. Relative paths are relative to the client root URL.
+                  If not specified, spec.webUrl + "/*" will be used.
+                example:
+                - https://example.com/*
+                - /my/relative/path/*
+                items:
+                  type: string
+                nullable: true
+                type: array
+              secret:
+                description: |-
+                  Secret is kubernetes secret name where the client's secret will be stored.
+                  Secret should have the following format: $secretName:secretKey.
+                  If not specified, a client secret will be generated and stored in a secret with the name keycloak-client-{metadata.name}-secret.
+                  If keycloak client is public, secret property will be ignored.
+                example: $keycloak-secret:client_secret
+                type: string
+              serviceAccount:
+                description: ServiceAccount is a service account configuration.
+                nullable: true
+                properties:
+                  attributes:
+                    additionalProperties:
+                      type: string
+                    description: Attributes is a map of service account attributes.
+                    nullable: true
+                    type: object
+                  clientRoles:
+                    description: ClientRoles is a list of client roles assigned to
+                      service account.
+                    items:
+                      properties:
+                        clientId:
+                          description: ClientID is a client ID.
+                          type: string
+                        roles:
+                          description: Roles is a list of client roles names assigned
+                            to service account.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      required:
+                      - clientId
+                      type: object
+                    nullable: true
+                    type: array
+                  enabled:
+                    description: Enabled is a flag to enable service account.
+                    type: boolean
+                  realmRoles:
+                    description: RealmRoles is a list of realm roles assigned to service
+                      account.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                type: object
+              standardFlowEnabled:
+                default: true
+                description: StandardFlowEnabled is a flag to enable standard flow.
+                type: boolean
+              surrogateAuthRequired:
+                description: SurrogateAuthRequired is a flag to enable surrogate auth.
+                type: boolean
+              targetRealm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  TargetRealm is a realm name where client will be created.
+                  It has higher priority than RealmRef for backward compatibility.
+                  If both TargetRealm and RealmRef are specified, TargetRealm will be used for client creation.
+                type: string
+              webOrigins:
+                description: |-
+                  WebOrigins is a list of allowed CORS origins.
+                  To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though.
+                  To permit all origins, explicitly add '*'.
+                  If not specified, the value from `WebUrl` is used
+                example:
+                - https://example.com/*
+                items:
+                  type: string
+                nullable: true
+                type: array
+              webUrl:
+                description: WebUrl is a client web url.
+                type: string
+            required:
+            - clientId
+            type: object
+          status:
+            description: KeycloakClientStatus defines the observed state of KeycloakClient.
+            properties:
+              clientId:
+                type: string
+              failureCount:
+                format: int64
+                type: integer
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakclientscopes.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakClientScope
+    listKind: KeycloakClientScopeList
+    plural: keycloakclientscopes
+    singular: keycloakclientscope
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakClientScope is the Schema for the keycloakclientscopes
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakClientScopeSpec defines the desired state of KeycloakClientScope.
+            properties:
+              attributes:
+                additionalProperties:
+                  type: string
+                description: Attributes is a map of client scope attributes.
+                nullable: true
+                type: object
+              default:
+                description: Default is a flag to set client scope as default.
+                type: boolean
+              description:
+                description: Description is a description of client scope.
+                type: string
+              name:
+                description: Name of keycloak client scope.
+                type: string
+              protocol:
+                description: Protocol is SSO protocol configuration which is being
+                  supplied by this client scope.
+                type: string
+              protocolMappers:
+                description: ProtocolMappers is a list of protocol mappers assigned
+                  to client scope.
+                items:
+                  properties:
+                    config:
+                      additionalProperties:
+                        type: string
+                      description: Config is a map of protocol mapper configuration.
+                      nullable: true
+                      type: object
+                    name:
+                      description: Name is a protocol mapper name.
+                      type: string
+                    protocol:
+                      description: Protocol is a protocol name.
+                      type: string
+                    protocolMapper:
+                      description: ProtocolMapper is a protocol mapper name.
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              realm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  Realm is name of KeycloakRealm custom resource.
+                type: string
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+            required:
+            - name
+            - protocol
+            type: object
+          status:
+            description: KeycloakClientScopeStatus defines the observed state of KeycloakClientScope.
+            properties:
+              failureCount:
+                format: int64
+                type: integer
+              id:
+                type: string
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakrealms.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakRealm
+    listKind: KeycloakRealmList
+    plural: keycloakrealms
+    singular: keycloakrealm
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Is the resource available
+      jsonPath: .status.available
+      name: Available
+      type: boolean
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakRealm is the Schema for the keycloak realms API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakRealmSpec defines the desired state of KeycloakRealm.
+            properties:
+              browserFlow:
+                description: BrowserFlow specifies the authentication flow to use
+                  for the realm's browser clients.
+                nullable: true
+                type: string
+              browserSecurityHeaders:
+                additionalProperties:
+                  type: string
+                description: BrowserSecurityHeaders is a map of security headers to
+                  apply to HTTP responses from the realm's browser clients.
+                nullable: true
+                type: object
+              displayHtmlName:
+                description: DisplayHTMLName name to render in the UI
+                type: string
+              displayName:
+                description: DisplayName is the display name of the realm.
+                type: string
+              frontendUrl:
+                description: FrontendURL Set the frontend URL for the realm. Use in
+                  combination with the default hostname provider to override the base
+                  URL for frontend requests for a specific realm.
+                type: string
+              id:
+                description: ID is the ID of the realm.
+                nullable: true
+                type: string
+              keycloakOwner:
+                description: |-
+                  Deprecated: use KeycloakRef instead.
+                  KeycloakOwner specifies the name of the Keycloak instance that owns the realm.
+                nullable: true
+                type: string
+              keycloakRef:
+                description: KeycloakRef is reference to Keycloak custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - Keycloak
+                    - ClusterKeycloak
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+              passwordPolicy:
+                description: PasswordPolicies is a list of password policies to apply
+                  to the realm.
+                items:
+                  properties:
+                    type:
+                      description: Type of password policy.
+                      type: string
+                    value:
+                      description: Value of password policy.
+                      type: string
+                  required:
+                  - type
+                  - value
+                  type: object
+                nullable: true
+                type: array
+              realmEventConfig:
+                description: RealmEventConfig is the configuration for events in the
+                  realm.
+                nullable: true
+                properties:
+                  adminEventsDetailsEnabled:
+                    description: AdminEventsDetailsEnabled indicates whether to enable
+                      detailed admin events.
+                    type: boolean
+                  adminEventsEnabled:
+                    description: AdminEventsEnabled indicates whether to enable admin
+                      events.
+                    type: boolean
+                  enabledEventTypes:
+                    description: EnabledEventTypes is a list of event types to enable.
+                    items:
+                      type: string
+                    type: array
+                  eventsEnabled:
+                    description: EventsEnabled indicates whether to enable events.
+                    type: boolean
+                  eventsExpiration:
+                    description: EventsExpiration is the number of seconds after which
+                      events expire.
+                    type: integer
+                  eventsListeners:
+                    description: EventsListeners is a list of event listeners to enable.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              realmName:
+                description: RealmName specifies the name of the realm.
+                type: string
+              themes:
+                description: Themes is a map of themes to apply to the realm.
+                nullable: true
+                properties:
+                  accountTheme:
+                    description: AccountTheme specifies the account theme to use for
+                      the realm.
+                    nullable: true
+                    type: string
+                  adminConsoleTheme:
+                    description: AdminConsoleTheme specifies the admin console theme
+                      to use for the realm.
+                    nullable: true
+                    type: string
+                  emailTheme:
+                    description: EmailTheme specifies the email theme to use for the
+                      realm.
+                    nullable: true
+                    type: string
+                  internationalizationEnabled:
+                    description: InternationalizationEnabled indicates whether to
+                      enable internationalization.
+                    nullable: true
+                    type: boolean
+                  loginTheme:
+                    description: LoginTheme specifies the login theme to use for the
+                      realm.
+                    nullable: true
+                    type: string
+                type: object
+              tokenSettings:
+                description: TokenSettings is the configuration for tokens in the
+                  realm.
+                nullable: true
+                properties:
+                  accessCodeLifespan:
+                    default: 60
+                    description: |-
+                      AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.
+                      This should normally be 1 minute.
+                    type: integer
+                  accessToken:
+                    default: 900
+                    description: AccessTokenLifespanForImplicitFlow specifies max
+                      time(in seconds) before an access token is expired for implicit
+                      flow.
+                    type: integer
+                  accessTokenLifespan:
+                    default: 300
+                    description: |-
+                      AccessTokenLifespan specifies max time(in seconds) before an access token is expired.
+                      This value is recommended to be short relative to the SSO timeout.
+                    type: integer
+                  actionTokenGeneratedByAdminLifespan:
+                    default: 43200
+                    description: |-
+                      ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.
+                      This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.
+                      The default timeout can be overridden immediately before issuing the token.
+                    type: integer
+                  actionTokenGeneratedByUserLifespan:
+                    default: 300
+                    description: |-
+                      AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.
+                      This value is recommended to be short because it's expected that the user would react to self-created action quickly.
+                    type: integer
+                  defaultSignatureAlgorithm:
+                    default: RS256
+                    description: DefaultSignatureAlgorithm specifies the default algorithm
+                      used to sign tokens for the realm
+                    enum:
+                    - ES256
+                    - ES384
+                    - ES512
+                    - EdDSA
+                    - HS256
+                    - HS384
+                    - HS512
+                    - PS256
+                    - PS384
+                    - PS512
+                    - RS256
+                    - RS384
+                    - RS512
+                    example: RS256
+                    type: string
+                  refreshTokenMaxReuse:
+                    default: 0
+                    description: |-
+                      RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.
+                      When a different token is used, revocation is immediate.
+                    type: integer
+                  revokeRefreshToken:
+                    default: false
+                    description: |-
+                      RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and
+                      is revoked when a different token is used.
+                      Otherwise, refresh tokens are not revoked when used and can be used multiple times.
+                    type: boolean
+                type: object
+              users:
+                description: Users is a list of users to create in the realm.
+                items:
+                  properties:
+                    realmRoles:
+                      description: RealmRoles is a list of roles attached to keycloak
+                        user.
+                      items:
+                        type: string
+                      type: array
+                    username:
+                      description: Username of keycloak user.
+                      type: string
+                  required:
+                  - username
+                  type: object
+                nullable: true
+                type: array
+            required:
+            - realmName
+            type: object
+          status:
+            description: KeycloakRealmStatus defines the observed state of KeycloakRealm.
+            properties:
+              available:
+                type: boolean
+              failureCount:
+                format: int64
+                type: integer
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakrealmcomponents.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakRealmComponent
+    listKind: KeycloakRealmComponentList
+    plural: keycloakrealmcomponents
+    singular: keycloakrealmcomponent
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakRealmComponent is the Schema for the keycloak component
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakComponentSpec defines the desired state of KeycloakRealmComponent.
+            properties:
+              config:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: |-
+                  Config is a map of component configuration.
+                  Map key is a name of configuration property, map value is an array value of configuration properties.
+                  Any configuration property can be a reference to k8s secret, in this case the property should be in format $secretName:secretKey.
+                example:
+                  bindCredential: '["$clientSecret:secretKey"]'
+                  bindDn: '["provider-client"]'
+                nullable: true
+                type: object
+              name:
+                description: Name of keycloak component.
+                type: string
+              parentRef:
+                description: |-
+                  ParentRef specifies a parent resource.
+                  If not specified, then parent is realm specified in realm field.
+                nullable: true
+                properties:
+                  kind:
+                    default: KeycloakRealm
+                    description: Kind is a kind of parent component. By default, it
+                      is KeycloakRealm.
+                    enum:
+                    - KeycloakRealm
+                    - KeycloakRealmComponent
+                    type: string
+                  name:
+                    description: |-
+                      Name is a name of parent component custom resource.
+                      For example, if Kind is KeycloakRealm, then Name is name of KeycloakRealm custom resource.
+                    type: string
+                required:
+                - name
+                type: object
+              providerId:
+                description: ProviderID is a provider ID of component.
+                type: string
+              providerType:
+                description: ProviderType is a provider type of component.
+                type: string
+              realm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  Realm is name of KeycloakRealm custom resource.
+                type: string
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+            required:
+            - name
+            - providerId
+            - providerType
+            type: object
+          status:
+            description: KeycloakComponentStatus defines the observed state of KeycloakRealmComponent.
+            properties:
+              failureCount:
+                format: int64
+                type: integer
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakrealmgroups.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakRealmGroup
+    listKind: KeycloakRealmGroupList
+    plural: keycloakrealmgroups
+    singular: keycloakrealmgroup
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakRealmGroup is the Schema for the keycloak group API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakRealmGroupSpec defines the desired state of KeycloakRealmGroup.
+            properties:
+              access:
+                additionalProperties:
+                  type: boolean
+                description: Access is a map of group access.
+                nullable: true
+                type: object
+              attributes:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: Attributes is a map of group attributes.
+                nullable: true
+                type: object
+              clientRoles:
+                description: ClientRoles is a list of client roles assigned to group.
+                items:
+                  properties:
+                    clientId:
+                      description: ClientID is a client ID.
+                      type: string
+                    roles:
+                      description: Roles is a list of client roles names assigned
+                        to service account.
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                  required:
+                  - clientId
+                  type: object
+                nullable: true
+                type: array
+              name:
+                description: Name of keycloak group.
+                type: string
+              path:
+                description: Path is a group path.
+                type: string
+              realm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  Realm is name of KeycloakRealm custom resource.
+                type: string
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+              realmRoles:
+                description: RealmRoles is a list of realm roles assigned to group.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              subGroups:
+                description: SubGroups is a list of subgroups assigned to group.
+                items:
+                  type: string
+                nullable: true
+                type: array
+            required:
+            - name
+            type: object
+          status:
+            description: KeycloakRealmGroupStatus defines the observed state of KeycloakRealmGroup.
+            properties:
+              failureCount:
+                format: int64
+                type: integer
+              id:
+                description: ID is a group ID.
+                type: string
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakrealmidentityproviders.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakRealmIdentityProvider
+    listKind: KeycloakRealmIdentityProviderList
+    plural: keycloakrealmidentityproviders
+    singular: keycloakrealmidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakRealmIdentityProvider is the Schema for the keycloak
+          realm identity provider API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakRealmIdentityProviderSpec defines the desired state
+              of KeycloakRealmIdentityProvider.
+            properties:
+              addReadTokenRoleOnCreate:
+                description: AddReadTokenRoleOnCreate is a flag to add read token
+                  role on create.
+                type: boolean
+              alias:
+                description: Alias is a alias of identity provider.
+                type: string
+              authenticateByDefault:
+                description: AuthenticateByDefault is a flag to authenticate by default.
+                type: boolean
+              config:
+                additionalProperties:
+                  type: string
+                description: |-
+                  Config is a map of identity provider configuration.
+                  Map key is a name of configuration property, map value is a value of configuration property.
+                  Any value can be a reference to k8s secret, in this case value should be in format $secretName:secretKey.
+                example:
+                  clientId: provider-client
+                  clientSecret: $clientSecret:secretKey
+                type: object
+              displayName:
+                description: DisplayName is a display name of identity provider.
+                type: string
+              enabled:
+                description: Enabled is a flag to enable/disable identity provider.
+                type: boolean
+              firstBrokerLoginFlowAlias:
+                description: FirstBrokerLoginFlowAlias is a first broker login flow
+                  alias.
+                type: string
+              linkOnly:
+                description: LinkOnly is a flag to link only.
+                type: boolean
+              mappers:
+                description: Mappers is a list of identity provider mappers.
+                items:
+                  properties:
+                    config:
+                      additionalProperties:
+                        type: string
+                      description: Config is a map of identity provider mapper configuration.
+                      nullable: true
+                      type: object
+                    identityProviderAlias:
+                      description: IdentityProviderAlias is a identity provider alias.
+                      type: string
+                    identityProviderMapper:
+                      description: IdentityProviderMapper is a identity provider mapper.
+                      type: string
+                    name:
+                      description: Name is a name of identity provider mapper.
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              providerId:
+                description: ProviderID is a provider ID of identity provider.
+                type: string
+              realm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  Realm is name of KeycloakRealm custom resource.
+                type: string
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+              storeToken:
+                description: StoreToken is a flag to store token.
+                type: boolean
+              trustEmail:
+                description: TrustEmail is a flag to trust email.
+                type: boolean
+            required:
+            - alias
+            - config
+            - enabled
+            - providerId
+            type: object
+          status:
+            description: KeycloakRealmIdentityProviderStatus defines the observed
+              state of KeycloakRealmIdentityProvider.
+            properties:
+              failureCount:
+                format: int64
+                type: integer
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakrealmroles.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakRealmRole
+    listKind: KeycloakRealmRoleList
+    plural: keycloakrealmroles
+    singular: keycloakrealmrole
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakRealmRole is the Schema for the keycloak group API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakRealmRoleSpec defines the desired state of KeycloakRealmRole.
+            properties:
+              attributes:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: Attributes is a map of role attributes.
+                nullable: true
+                type: object
+              composite:
+                description: Composite is a flag if role is composite.
+                type: boolean
+              composites:
+                description: Composites is a list of composites roles assigned to
+                  role.
+                items:
+                  properties:
+                    name:
+                      description: Name is a name of composite role.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                nullable: true
+                type: array
+              compositesClientRoles:
+                additionalProperties:
+                  items:
+                    properties:
+                      name:
+                        description: Name is a name of composite role.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  type: array
+                description: CompositesClientRoles is a map of composites client roles
+                  assigned to role.
+                example:
+                  client1:
+                  - name: role1
+                  - name: role2
+                  client2:
+                    name: role3
+                nullable: true
+                type: object
+              description:
+                description: Description is a role description.
+                type: string
+              isDefault:
+                description: IsDefault is a flag if role is default.
+                type: boolean
+              name:
+                description: Name of keycloak role.
+                type: string
+              realm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  Realm is name of KeycloakRealm custom resource.
+                type: string
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+            required:
+            - name
+            type: object
+          status:
+            description: KeycloakRealmRoleStatus defines the observed state of KeycloakRealmRole.
+            properties:
+              failureCount:
+                format: int64
+                type: integer
+              id:
+                description: ID is a role ID.
+                type: string
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakrealmrolebatches.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakRealmRoleBatch
+    listKind: KeycloakRealmRoleBatchList
+    plural: keycloakrealmrolebatches
+    singular: keycloakrealmrolebatch
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakRealmRoleBatch is the Schema for the keycloak roles API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakRealmRoleBatchSpec defines the desired state of KeycloakRealmRoleBatch.
+            properties:
+              realm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  Realm is name of KeycloakRealm custom resource.
+                type: string
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+              roles:
+                description: Roles is a list of roles to be created.
+                items:
+                  properties:
+                    attributes:
+                      additionalProperties:
+                        items:
+                          type: string
+                        type: array
+                      description: Attributes is a map of role attributes.
+                      nullable: true
+                      type: object
+                    composite:
+                      description: Composite is a flag if role is composite.
+                      type: boolean
+                    composites:
+                      description: Composites is a list of composites roles assigned
+                        to role.
+                      items:
+                        properties:
+                          name:
+                            description: Name is a name of composite role.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      nullable: true
+                      type: array
+                    description:
+                      description: Description is a role description.
+                      type: string
+                    isDefault:
+                      description: IsDefault is a flag if role is default.
+                      type: boolean
+                    name:
+                      description: Name of keycloak role.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+            required:
+            - roles
+            type: object
+          status:
+            description: KeycloakRealmRoleBatchStatus defines the observed state of
+              KeycloakRealmRoleBatch.
+            properties:
+              failureCount:
+                format: int64
+                type: integer
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: keycloakrealmusers.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: KeycloakRealmUser
+    listKind: KeycloakRealmUserList
+    plural: keycloakrealmusers
+    singular: keycloakrealmuser
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Reconcilation status
+      jsonPath: .status.value
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: KeycloakRealmUser is the Schema for the keycloak user API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeycloakRealmUserSpec defines the desired state of KeycloakRealmUser.
+            properties:
+              attributes:
+                additionalProperties:
+                  type: string
+                description: Attributes is a map of user attributes.
+                nullable: true
+                type: object
+              email:
+                description: Email is a user email.
+                type: string
+              emailVerified:
+                description: EmailVerified is a user email verified flag.
+                type: boolean
+              enabled:
+                description: Enabled is a user enabled flag.
+                type: boolean
+              firstName:
+                description: FirstName is a user first name.
+                type: string
+              groups:
+                description: Groups is a list of groups assigned to user.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              keepResource:
+                default: true
+                description: |-
+                  KeepResource, when set to false, results in the deletion of the KeycloakRealmUser Custom Resource (CR)
+                  from the cluster after the corresponding user is created in Keycloak. The user will continue to exist in Keycloak.
+                  When set to true, the CR will not be deleted after processing.
+                type: boolean
+              lastName:
+                description: LastName is a user last name.
+                type: string
+              password:
+                description: Password is a user password. Allows to keep user password
+                  within Custom Resource. For security concerns, it is recommended
+                  to use PasswordSecret instead.
+                type: string
+              passwordSecret:
+                description: PasswordSecret defines Kubernetes secret Name and Key,
+                  which holds User secret.
+                nullable: true
+                properties:
+                  key:
+                    description: Key is the key in the secret.
+                    type: string
+                  name:
+                    description: Name is the name of the secret.
+                    type: string
+                required:
+                - key
+                - name
+                type: object
+              realm:
+                description: |-
+                  Deprecated: use RealmRef instead.
+                  Realm is name of KeycloakRealm custom resource.
+                type: string
+              realmRef:
+                description: RealmRef is reference to Realm custom resource.
+                properties:
+                  kind:
+                    description: Kind specifies the kind of the Keycloak resource.
+                    enum:
+                    - KeycloakRealm
+                    - ClusterKeycloakRealm
+                    type: string
+                  name:
+                    description: Name specifies the name of the Keycloak resource.
+                    type: string
+                type: object
+              reconciliationStrategy:
+                description: |-
+                  ReconciliationStrategy is a strategy for reconciliation. Possible values: full, create-only.
+                  Default value: full. If set to create-only, user will be created only if it does not exist. If user exists, it will not be updated.
+                  If set to full, user will be created if it does not exist, or updated if it exists.
+                type: string
+              requiredUserActions:
+                description: 'RequiredUserActions is required action when user log
+                  in, example: CONFIGURE_TOTP, UPDATE_PASSWORD, UPDATE_PROFILE, VERIFY_EMAIL.'
+                items:
+                  type: string
+                nullable: true
+                type: array
+              roles:
+                description: Roles is a list of roles assigned to user.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              username:
+                description: Username is a username in keycloak.
+                type: string
+            required:
+            - username
+            type: object
+          status:
+            description: KeycloakRealmUserStatus defines the observed state of KeycloakRealmUser.
+            properties:
+              failureCount:
+                format: int64
+                type: integer
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: clusterkeycloaks.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: ClusterKeycloak
+    listKind: ClusterKeycloakList
+    plural: clusterkeycloaks
+    singular: clusterkeycloak
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: Is connected to keycloak
+      jsonPath: .status.connected
+      name: Connected
+      type: boolean
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterKeycloak is the Schema for the clusterkeycloaks API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterKeycloakSpec defines the desired state of ClusterKeycloak.
+            properties:
+              adminType:
+                default: user
+                description: |-
+                  AdminType can be user or serviceAccount, if serviceAccount was specified,
+                  then client_credentials grant type should be used for getting admin realm token.
+                enum:
+                - serviceAccount
+                - user
+                type: string
+              caCert:
+                description: |-
+                  CACert defines the root certificate authority
+                  that api clients use when verifying server certificates.
+                  Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env.
+                properties:
+                  configMapKeyRef:
+                    description: Selects a key of a ConfigMap.
+                    properties:
+                      key:
+                        description: The key to select.
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?
+                        type: string
+                    required:
+                    - key
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  secretKeyRef:
+                    description: Selects a key of a secret.
+                    properties:
+                      key:
+                        description: The key of the secret to select from.
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?
+                        type: string
+                    required:
+                    - key
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+              insecureSkipVerify:
+                description: |-
+                  InsecureSkipVerify controls whether api client verifies the server's
+                  certificate chain and host name. If InsecureSkipVerify is true, api client
+                  accepts any certificate presented by the server and any host name in that
+                  certificate.
+                type: boolean
+              secret:
+                description: Secret is a secret name which contains admin credentials.
+                type: string
+              url:
+                description: URL of keycloak service.
+                type: string
+            required:
+            - secret
+            - url
+            type: object
+          status:
+            default:
+              connected: false
+            description: ClusterKeycloakStatus defines the observed state of ClusterKeycloak.
+            properties:
+              connected:
+                description: Connected shows if keycloak service is up and running.
+                type: boolean
+            required:
+            - connected
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1alpha1
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: clusterkeycloakrealms.v1.edp.epam.com
+spec:
+  group: v1.edp.epam.com
+  names:
+    kind: ClusterKeycloakRealm
+    listKind: ClusterKeycloakRealmList
+    plural: clusterkeycloakrealms
+    singular: clusterkeycloakrealm
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: Keycloak realm is available
+      jsonPath: .status.available
+      name: Available
+      type: boolean
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterKeycloakRealm is the Schema for the clusterkeycloakrealms
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm.
+            properties:
+              authenticationFlows:
+                description: AuthenticationFlow is the configuration for authentication
+                  flows in the realm.
+                nullable: true
+                properties:
+                  browserFlow:
+                    description: BrowserFlow specifies the authentication flow to
+                      use for the realm's browser clients.
+                    example: browser
+                    type: string
+                type: object
+              browserSecurityHeaders:
+                additionalProperties:
+                  type: string
+                description: BrowserSecurityHeaders is a map of security headers to
+                  apply to HTTP responses from the realm's browser clients.
+                nullable: true
+                type: object
+              clusterKeycloakRef:
+                description: ClusterKeycloakRef is a name of the ClusterKeycloak instance
+                  that owns the realm.
+                type: string
+              displayHtmlName:
+                description: DisplayHTMLName name to render in the UI.
+                type: string
+              displayName:
+                description: DisplayName is the display name of the realm.
+                type: string
+              frontendUrl:
+                description: |-
+                  FrontendURL Set the frontend URL for the realm.
+                  Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.
+                type: string
+              localization:
+                description: Localization is the configuration for localization in
+                  the realm.
+                nullable: true
+                properties:
+                  internationalizationEnabled:
+                    description: InternationalizationEnabled indicates whether to
+                      enable internationalization.
+                    nullable: true
+                    type: boolean
+                type: object
+              passwordPolicy:
+                description: PasswordPolicies is a list of password policies to apply
+                  to the realm.
+                items:
+                  properties:
+                    type:
+                      description: Type of password policy.
+                      type: string
+                    value:
+                      description: Value of password policy.
+                      type: string
+                  required:
+                  - type
+                  - value
+                  type: object
+                nullable: true
+                type: array
+              realmEventConfig:
+                description: RealmEventConfig is the configuration for events in the
+                  realm.
+                nullable: true
+                properties:
+                  adminEventsDetailsEnabled:
+                    description: AdminEventsDetailsEnabled indicates whether to enable
+                      detailed admin events.
+                    type: boolean
+                  adminEventsEnabled:
+                    description: AdminEventsEnabled indicates whether to enable admin
+                      events.
+                    type: boolean
+                  enabledEventTypes:
+                    description: EnabledEventTypes is a list of event types to enable.
+                    items:
+                      type: string
+                    type: array
+                  eventsEnabled:
+                    description: EventsEnabled indicates whether to enable events.
+                    type: boolean
+                  eventsExpiration:
+                    description: EventsExpiration is the number of seconds after which
+                      events expire.
+                    type: integer
+                  eventsListeners:
+                    description: EventsListeners is a list of event listeners to enable.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              realmName:
+                description: RealmName specifies the name of the realm.
+                type: string
+              themes:
+                description: Themes is a map of themes to apply to the realm.
+                nullable: true
+                properties:
+                  accountTheme:
+                    description: AccountTheme specifies the account theme to use for
+                      the realm.
+                    nullable: true
+                    type: string
+                  adminConsoleTheme:
+                    description: AdminConsoleTheme specifies the admin console theme
+                      to use for the realm.
+                    nullable: true
+                    type: string
+                  emailTheme:
+                    description: EmailTheme specifies the email theme to use for the
+                      realm.
+                    nullable: true
+                    type: string
+                  loginTheme:
+                    description: LoginTheme specifies the login theme to use for the
+                      realm.
+                    nullable: true
+                    type: string
+                type: object
+              tokenSettings:
+                description: TokenSettings is the configuration for tokens in the
+                  realm.
+                nullable: true
+                properties:
+                  accessCodeLifespan:
+                    default: 60
+                    description: |-
+                      AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.
+                      This should normally be 1 minute.
+                    type: integer
+                  accessToken:
+                    default: 900
+                    description: AccessTokenLifespanForImplicitFlow specifies max
+                      time(in seconds) before an access token is expired for implicit
+                      flow.
+                    type: integer
+                  accessTokenLifespan:
+                    default: 300
+                    description: |-
+                      AccessTokenLifespan specifies max time(in seconds) before an access token is expired.
+                      This value is recommended to be short relative to the SSO timeout.
+                    type: integer
+                  actionTokenGeneratedByAdminLifespan:
+                    default: 43200
+                    description: |-
+                      ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.
+                      This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.
+                      The default timeout can be overridden immediately before issuing the token.
+                    type: integer
+                  actionTokenGeneratedByUserLifespan:
+                    default: 300
+                    description: |-
+                      AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.
+                      This value is recommended to be short because it's expected that the user would react to self-created action quickly.
+                    type: integer
+                  defaultSignatureAlgorithm:
+                    default: RS256
+                    description: DefaultSignatureAlgorithm specifies the default algorithm
+                      used to sign tokens for the realm
+                    enum:
+                    - ES256
+                    - ES384
+                    - ES512
+                    - EdDSA
+                    - HS256
+                    - HS384
+                    - HS512
+                    - PS256
+                    - PS384
+                    - PS512
+                    - RS256
+                    - RS384
+                    - RS512
+                    example: RS256
+                    type: string
+                  refreshTokenMaxReuse:
+                    default: 0
+                    description: |-
+                      RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.
+                      When a different token is used, revocation is immediate.
+                    type: integer
+                  revokeRefreshToken:
+                    default: false
+                    description: |-
+                      RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and
+                      is revoked when a different token is used.
+                      Otherwise, refresh tokens are not revoked when used and can be used multiple times.
+                    type: boolean
+                type: object
+            required:
+            - clusterKeycloakRef
+            - realmName
+            type: object
+          status:
+            description: ClusterKeycloakRealmStatus defines the observed state of
+              ClusterKeycloakRealm.
+            properties:
+              available:
+                type: boolean
+              failureCount:
+                format: int64
+                type: integer
+              value:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions:
+  - v1alpha1
+
+---
diff --git a/edp-keycloak-operator/kcl.mod b/edp-keycloak-operator/kcl.mod
new file mode 100644
index 00000000..969e4067
--- /dev/null
+++ b/edp-keycloak-operator/kcl.mod
@@ -0,0 +1,7 @@
+[package]
+name = "edp-keycloak-operator"
+edition = "v0.10.0"
+version = "v1.23.0"
+
+[dependencies]
+k8s = "1.31.2"
diff --git a/edp-keycloak-operator/kcl.mod.lock b/edp-keycloak-operator/kcl.mod.lock
new file mode 100644
index 00000000..7b4406f2
--- /dev/null
+++ b/edp-keycloak-operator/kcl.mod.lock
@@ -0,0 +1,5 @@
+[dependencies]
+  [dependencies.k8s]
+    name = "k8s"
+    full_name = "k8s_1.31.2"
+    version = "1.31.2"
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak.k
new file mode 100644
index 00000000..f1f219b3
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak.k
@@ -0,0 +1,143 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema Keycloak:
+    r"""
+    Keycloak is the Schema for the keycloaks API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "Keycloak", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "Keycloak" = "Keycloak"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakSpec
+
+    status?: V1EdpEpamComV1KeycloakStatus
+
+
+schema V1EdpEpamComV1KeycloakSpec:
+    r"""
+    KeycloakSpec defines the desired state of Keycloak.
+
+    Attributes
+    ----------
+    adminType : str, default is Undefined, optional
+        AdminType can be user or serviceAccount, if serviceAccount was specified, then client_credentials grant type should be used for getting admin realm token.
+    caCert : V1EdpEpamComV1KeycloakSpecCaCert, default is Undefined, optional
+        ca cert
+    insecureSkipVerify : bool, default is Undefined, optional
+        InsecureSkipVerify controls whether api client verifies the server's
+        certificate chain and host name. If InsecureSkipVerify is true, api client
+        accepts any certificate presented by the server and any host name in that
+        certificate.
+    secret : str, default is Undefined, required
+        Secret is a secret name which contains admin credentials.
+    url : str, default is Undefined, required
+        URL of keycloak service.
+    """
+
+
+    adminType?: "serviceAccount" | "user"
+
+    caCert?: V1EdpEpamComV1KeycloakSpecCaCert
+
+    insecureSkipVerify?: bool
+
+    secret: str
+
+    url: str
+
+
+schema V1EdpEpamComV1KeycloakSpecCaCert:
+    r"""
+    CACert defines the root certificate authority
+    that api client use when verifying server certificates.
+
+    Attributes
+    ----------
+    configMapKeyRef : V1EdpEpamComV1KeycloakSpecCaCertConfigMapKeyRef, default is Undefined, optional
+        config map key ref
+    secretKeyRef : V1EdpEpamComV1KeycloakSpecCaCertSecretKeyRef, default is Undefined, optional
+        secret key ref
+    """
+
+
+    configMapKeyRef?: V1EdpEpamComV1KeycloakSpecCaCertConfigMapKeyRef
+
+    secretKeyRef?: V1EdpEpamComV1KeycloakSpecCaCertSecretKeyRef
+
+
+schema V1EdpEpamComV1KeycloakSpecCaCertConfigMapKeyRef:
+    r"""
+    Selects a key of a ConfigMap.
+
+    Attributes
+    ----------
+    key : str, default is Undefined, required
+        The key to select.
+    name : str, default is Undefined, optional
+        Name of the referent.
+        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+        TODO: Add other useful fields. apiVersion, kind, uid?
+    """
+
+
+    key: str
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakSpecCaCertSecretKeyRef:
+    r"""
+    Selects a key of a secret.
+
+    Attributes
+    ----------
+    key : str, default is Undefined, required
+        The key of the secret to select from.
+    name : str, default is Undefined, optional
+        Name of the referent.
+        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+        TODO: Add other useful fields. apiVersion, kind, uid?
+    """
+
+
+    key: str
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakStatus:
+    r"""
+    KeycloakStatus defines the observed state of Keycloak.
+
+    Attributes
+    ----------
+    connected : bool, default is Undefined, required
+        Connected shows if keycloak service is up and running.
+    """
+
+
+    connected: bool
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_auth_flow.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_auth_flow.k
new file mode 100644
index 00000000..054c1ffc
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_auth_flow.k
@@ -0,0 +1,180 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakAuthFlow:
+    r"""
+    KeycloakAuthFlow is the Schema for the keycloak authentication flow API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakAuthFlow", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakAuthFlowSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakAuthFlowStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakAuthFlow" = "KeycloakAuthFlow"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakAuthFlowSpec
+
+    status?: V1EdpEpamComV1KeycloakAuthFlowStatus
+
+
+schema V1EdpEpamComV1KeycloakAuthFlowSpec:
+    r"""
+    KeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow.
+
+    Attributes
+    ----------
+    alias : str, default is Undefined, required
+        Alias is display name for authentication flow.
+    authenticationExecutions : [V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0], default is Undefined, optional
+        AuthenticationExecutions is list of authentication executions for this auth flow.
+    builtIn : bool, default is Undefined, required
+        BuiltIn is true if this is built-in auth flow.
+    childRequirement : str, default is Undefined, optional
+        ChildRequirement is requirement for child execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.
+    childType : str, default is Undefined, optional
+        ChildType is type for auth flow if it has a parent, available options: basic-flow, form-flow
+    description : str, default is Undefined, optional
+        Description is description for authentication flow.
+    parentName : str, default is Undefined, optional
+        ParentName is name of parent auth flow.
+    providerId : str, default is Undefined, required
+        ProviderID for root auth flow and provider for child auth flows.
+    realm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        Realm is name of KeycloakRealm custom resource.
+    realmRef : V1EdpEpamComV1KeycloakAuthFlowSpecRealmRef, default is Undefined, optional
+        realm ref
+    topLevel : bool, default is Undefined, required
+        TopLevel is true if this is root auth flow.
+    """
+
+
+    alias: str
+
+    authenticationExecutions?: [V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0]
+
+    builtIn: bool
+
+    childRequirement?: str
+
+    childType?: str
+
+    description?: str
+
+    parentName?: str
+
+    providerId: str
+
+    realm?: str
+
+    realmRef?: V1EdpEpamComV1KeycloakAuthFlowSpecRealmRef
+
+    topLevel: bool
+
+
+schema V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0:
+    r"""
+    AuthenticationExecution defines keycloak authentication execution.
+
+    Attributes
+    ----------
+    alias : str, default is Undefined, optional
+        Alias is display name for this execution.
+    authenticator : str, default is Undefined, optional
+        Authenticator is name of authenticator.
+    authenticatorConfig : V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0AuthenticatorConfig, default is Undefined, optional
+        authenticator config
+    authenticatorFlow : bool, default is Undefined, optional
+        AuthenticatorFlow is true if this is auth flow.
+    priority : int, default is Undefined, optional
+        Priority is priority for this execution. Lower values have higher priority.
+    requirement : str, default is Undefined, optional
+        Requirement is requirement for this execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.
+    """
+
+
+    alias?: str
+
+    authenticator?: str
+
+    authenticatorConfig?: V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0AuthenticatorConfig
+
+    authenticatorFlow?: bool
+
+    priority?: int
+
+    requirement?: str
+
+
+schema V1EdpEpamComV1KeycloakAuthFlowSpecAuthenticationExecutionsItems0AuthenticatorConfig:
+    r"""
+    AuthenticatorConfig is configuration for authenticator.
+
+    Attributes
+    ----------
+    alias : str, default is Undefined, optional
+        Alias is display name for authenticator config.
+    config : {str:str}, default is Undefined, optional
+        Config is configuration for authenticator.
+    """
+
+
+    alias?: str
+
+    config?: {str:str}
+
+
+schema V1EdpEpamComV1KeycloakAuthFlowSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakAuthFlowStatus:
+    r"""
+    KeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow.
+
+    Attributes
+    ----------
+    failureCount : int, default is Undefined, optional
+        failure count
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    failureCount?: int
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_client.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_client.k
new file mode 100644
index 00000000..6044706f
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_client.k
@@ -0,0 +1,610 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakClient:
+    r"""
+    KeycloakClient is the Schema for the keycloak clients API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakClient", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakClientSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakClientStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakClient" = "KeycloakClient"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakClientSpec
+
+    status?: V1EdpEpamComV1KeycloakClientStatus
+
+
+schema V1EdpEpamComV1KeycloakClientSpec:
+    r"""
+    KeycloakClientSpec defines the desired state of KeycloakClient.
+
+    Attributes
+    ----------
+    advancedProtocolMappers : bool, default is Undefined, optional
+        AdvancedProtocolMappers is a flag to enable advanced protocol mappers.
+    attributes : {str:str}, default is {"post.logout.redirect.uris": "+"}, optional
+        Attributes is a map of client attributes.
+    authorization : V1EdpEpamComV1KeycloakClientSpecAuthorization, default is Undefined, optional
+        authorization
+    authorizationServicesEnabled : bool, default is Undefined, optional
+        ServiceAccountsEnabled enable/disable fine-grained authorization support for a client.
+    bearerOnly : bool, default is Undefined, optional
+        BearerOnly is a flag to enable bearer-only.
+    clientAuthenticatorType : str, default is "client-secret", optional
+        ClientAuthenticatorType is a client authenticator type.
+    clientId : str, default is Undefined, required
+        ClientId is a unique keycloak client ID referenced in URI and tokens.
+    clientRoles : [str], default is Undefined, optional
+        ClientRoles is a list of client roles names assigned to client.
+    consentRequired : bool, default is Undefined, optional
+        ConsentRequired is a flag to enable consent.
+    defaultClientScopes : [str], default is Undefined, optional
+        DefaultClientScopes is a list of default client scopes assigned to client.
+    description : str, default is Undefined, optional
+        Description is a client description.
+    directAccess : bool, default is Undefined, optional
+        DirectAccess is a flag to set client as direct access.
+    enabled : bool, default is True, optional
+        Enabled is a flag to enable client.
+    frontChannelLogout : bool, default is Undefined, optional
+        FrontChannelLogout is a flag to enable front channel logout.
+    fullScopeAllowed : bool, default is True, optional
+        FullScopeAllowed is a flag to enable full scope.
+    implicitFlowEnabled : bool, default is Undefined, optional
+        ImplicitFlowEnabled is a flag to enable support for OpenID Connect redirect based authentication without authorization code.
+    name : str, default is Undefined, optional
+        Name is a client name.
+    optionalClientScopes : [str], default is Undefined, optional
+        OptionalClientScopes is a list of optional client scopes assigned to client.
+    $protocol : str, default is Undefined, optional
+        Protocol is a client protocol.
+    protocolMappers : [V1EdpEpamComV1KeycloakClientSpecProtocolMappersItems0], default is Undefined, optional
+        ProtocolMappers is a list of protocol mappers assigned to client.
+    public : bool, default is Undefined, optional
+        Public is a flag to set client as public.
+    realmRef : V1EdpEpamComV1KeycloakClientSpecRealmRef, default is Undefined, optional
+        realm ref
+    realmRoles : [V1EdpEpamComV1KeycloakClientSpecRealmRolesItems0], default is Undefined, optional
+        RealmRoles is a list of realm roles assigned to client.
+    reconciliationStrategy : str, default is Undefined, optional
+        ReconciliationStrategy is a strategy to reconcile client.
+    redirectUris : [str], default is Undefined, optional
+        RedirectUris is a list of valid URI pattern a browser can redirect to after a successful login.
+        Simple wildcards are allowed such as 'https://example.com/*'.
+        Relative path can be specified too, such as /my/relative/path/*. Relative paths are relative to the client root URL.
+        If not specified, spec.webUrl + "/*" will be used.
+    secret : str, default is Undefined, optional
+        Secret is kubernetes secret name where the client's secret will be stored.
+        Secret should have the following format: $secretName:secretKey.
+        If not specified, a client secret will be generated and stored in a secret with the name keycloak-client-{metadata.name}-secret.
+        If keycloak client is public, secret property will be ignored.
+    serviceAccount : V1EdpEpamComV1KeycloakClientSpecServiceAccount, default is Undefined, optional
+        service account
+    standardFlowEnabled : bool, default is True, optional
+        StandardFlowEnabled is a flag to enable standard flow.
+    surrogateAuthRequired : bool, default is Undefined, optional
+        SurrogateAuthRequired is a flag to enable surrogate auth.
+    targetRealm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        TargetRealm is a realm name where client will be created.
+        It has higher priority than RealmRef for backward compatibility.
+        If both TargetRealm and RealmRef are specified, TargetRealm will be used for client creation.
+    webOrigins : [str], default is Undefined, optional
+        WebOrigins is a list of allowed CORS origins.
+        To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though.
+        To permit all origins, explicitly add '*'.
+        If not specified, the value from `WebUrl` is used
+    webUrl : str, default is Undefined, optional
+        WebUrl is a client web url.
+    """
+
+
+    advancedProtocolMappers?: bool
+
+    attributes?: {str:str} = {"post.logout.redirect.uris": "+"}
+
+    authorization?: V1EdpEpamComV1KeycloakClientSpecAuthorization
+
+    authorizationServicesEnabled?: bool
+
+    bearerOnly?: bool
+
+    clientAuthenticatorType?: str = "client-secret"
+
+    clientId: str
+
+    clientRoles?: [str]
+
+    consentRequired?: bool
+
+    defaultClientScopes?: [str]
+
+    description?: str
+
+    directAccess?: bool
+
+    enabled?: bool = True
+
+    frontChannelLogout?: bool
+
+    fullScopeAllowed?: bool = True
+
+    implicitFlowEnabled?: bool
+
+    name?: str
+
+    optionalClientScopes?: [str]
+
+    $protocol?: str
+
+    protocolMappers?: [V1EdpEpamComV1KeycloakClientSpecProtocolMappersItems0]
+
+    public?: bool
+
+    realmRef?: V1EdpEpamComV1KeycloakClientSpecRealmRef
+
+    realmRoles?: [V1EdpEpamComV1KeycloakClientSpecRealmRolesItems0]
+
+    reconciliationStrategy?: "full" | "addOnly"
+
+    redirectUris?: [str]
+
+    secret?: str
+
+    serviceAccount?: V1EdpEpamComV1KeycloakClientSpecServiceAccount
+
+    standardFlowEnabled?: bool = True
+
+    surrogateAuthRequired?: bool
+
+    targetRealm?: str
+
+    webOrigins?: [str]
+
+    webUrl?: str
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorization:
+    r"""
+    Authorization is a client authorization configuration.
+
+    Attributes
+    ----------
+    permissions : [V1EdpEpamComV1KeycloakClientSpecAuthorizationPermissionsItems0], default is Undefined, optional
+        permissions
+    policies : [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0], default is Undefined, optional
+        policies
+    scopes : [str], default is Undefined, optional
+        scopes
+    """
+
+
+    permissions?: [V1EdpEpamComV1KeycloakClientSpecAuthorizationPermissionsItems0]
+
+    policies?: [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0]
+
+    scopes?: [str]
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPermissionsItems0:
+    r"""
+    v1 edp epam com v1 keycloak client spec authorization permissions items0
+
+    Attributes
+    ----------
+    decisionStrategy : str, default is "UNANIMOUS", optional
+        DecisionStrategy is a permission decision strategy.
+    description : str, default is Undefined, optional
+        Description is a permission description.
+    logic : str, default is "POSITIVE", optional
+        Logic is a permission logic.
+    name : str, default is Undefined, required
+        Name is a permission name.
+    policies : [str], default is Undefined, optional
+        Policies is a list of policies names.
+        Specifies all the policies that must be applied to the scopes defined by this policy or permission.
+    resources : [str], default is Undefined, optional
+        Resources is a list of resources names.
+        Specifies that this permission must be applied to all resource instances of a given type.
+    scopes : [str], default is Undefined, optional
+        Scopes is a list of authorization scopes names.
+        Specifies that this permission must be applied to one or more scopes.
+    $type : str, default is Undefined, required
+        Type is a permission type.
+    """
+
+
+    decisionStrategy?: "UNANIMOUS" | "AFFIRMATIVE" | "CONSENSUS" = "UNANIMOUS"
+
+    description?: str
+
+    logic?: "POSITIVE" | "NEGATIVE" = "POSITIVE"
+
+    name: str
+
+    policies?: [str]
+
+    resources?: [str]
+
+    scopes?: [str]
+
+    $type: "resource" | "scope"
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0:
+    r"""
+    Policy represents a client authorization policy.
+
+    Attributes
+    ----------
+    aggregatedPolicy : V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0AggregatedPolicy, default is Undefined, optional
+        aggregated policy
+    clientPolicy : V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0ClientPolicy, default is Undefined, optional
+        client policy
+    decisionStrategy : str, default is "UNANIMOUS", optional
+        DecisionStrategy is a policy decision strategy.
+    description : str, default is Undefined, optional
+        Description is a policy description.
+    groupPolicy : V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicy, default is Undefined, optional
+        group policy
+    logic : str, default is "POSITIVE", optional
+        Logic is a policy logic.
+    name : str, default is Undefined, required
+        Name is a policy name.
+    rolePolicy : V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicy, default is Undefined, optional
+        role policy
+    timePolicy : V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0TimePolicy, default is Undefined, optional
+        time policy
+    $type : str, default is Undefined, required
+        Type is a policy type.
+    userPolicy : V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0UserPolicy, default is Undefined, optional
+        user policy
+    """
+
+
+    aggregatedPolicy?: V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0AggregatedPolicy
+
+    clientPolicy?: V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0ClientPolicy
+
+    decisionStrategy?: "UNANIMOUS" | "AFFIRMATIVE" | "CONSENSUS" = "UNANIMOUS"
+
+    description?: str
+
+    groupPolicy?: V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicy
+
+    logic?: "POSITIVE" | "NEGATIVE" = "POSITIVE"
+
+    name: str
+
+    rolePolicy?: V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicy
+
+    timePolicy?: V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0TimePolicy
+
+    $type: "aggregate" | "client" | "group" | "role" | "time" | "user"
+
+    userPolicy?: V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0UserPolicy
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0AggregatedPolicy:
+    r"""
+    AggregatedPolicy is an aggregated policy settings.
+
+    Attributes
+    ----------
+    policies : [str], default is Undefined, required
+        Policies is a list of aggregated policies names.
+        Specifies all the policies that must be applied to the scopes defined by this policy or permission.
+    """
+
+
+    policies: [str]
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0ClientPolicy:
+    r"""
+    ClientPolicy is a client policy settings.
+
+    Attributes
+    ----------
+    clients : [str], default is Undefined, required
+        Clients is a list of client names. Specifies which client(s) are allowed by this policy.
+    """
+
+
+    clients: [str]
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicy:
+    r"""
+    GroupPolicy is a group policy settings.
+
+    Attributes
+    ----------
+    groups : [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicyGroupsItems0], default is Undefined, optional
+        Groups is a list of group names. Specifies which group(s) are allowed by this policy.
+    groupsClaim : str, default is Undefined, optional
+        GroupsClaim is a group claim.
+        If defined, the policy will fetch user's groups from the given claim
+        within an access token or ID token representing the identity asking permissions.
+        If not defined, user's groups are obtained from your realm configuration.
+    """
+
+
+    groups?: [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicyGroupsItems0]
+
+    groupsClaim?: str
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0GroupPolicyGroupsItems0:
+    r"""
+    GroupDefinition represents a group in a GroupPolicyData.
+
+    Attributes
+    ----------
+    extendChildren : bool, default is Undefined, optional
+        ExtendChildren is a flag that specifies whether to extend children.
+    name : str, default is Undefined, required
+        Name is a group name.
+    """
+
+
+    extendChildren?: bool
+
+    name: str
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicy:
+    r"""
+    RolePolicy is a role policy settings.
+
+    Attributes
+    ----------
+    roles : [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicyRolesItems0], default is Undefined, required
+        Roles is a list of role.
+    """
+
+
+    roles: [V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicyRolesItems0]
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0RolePolicyRolesItems0:
+    r"""
+    RoleDefinition represents a role in a RolePolicyData.
+
+    Attributes
+    ----------
+    name : str, default is Undefined, required
+        Name is a role name.
+    required : bool, default is Undefined, optional
+        Required is a flag that specifies whether the role is required.
+    """
+
+
+    name: str
+
+    required?: bool
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0TimePolicy:
+    r"""
+    ScopePolicy is a scope policy settings.
+
+    Attributes
+    ----------
+    dayMonth : str, default is Undefined, optional
+        Day defines the month which the policy MUST be granted.
+        You can also provide a range by filling the dayMonthEnd field.
+        In this case, permission is granted only if current month is between or equal to the two values you provided.
+    dayMonthEnd : str, default is Undefined, optional
+        day month end
+    hour : str, default is Undefined, optional
+        Hour defines the hour when the policy MUST be granted.
+        You can also provide a range by filling the hourEnd.
+        In this case, permission is granted only if current hour is between or equal to the two values you provided.
+    hourEnd : str, default is Undefined, optional
+        hour end
+    minute : str, default is Undefined, optional
+        Minute defines the minute when the policy MUST be granted.
+        You can also provide a range by filling the minuteEnd field.
+        In this case, permission is granted only if current minute is between or equal to the two values you provided.
+    minuteEnd : str, default is Undefined, optional
+        minute end
+    month : str, default is Undefined, optional
+        Month defines the month which the policy MUST be granted.
+        You can also provide a range by filling the monthEnd.
+        In this case, permission is granted only if current month is between or equal to the two values you provided.
+    monthEnd : str, default is Undefined, optional
+        month end
+    notBefore : str, default is Undefined, required
+        NotBefore defines the time before which the policy MUST NOT be granted.
+        Only granted if current date/time is after or equal to this value.
+    notOnOrAfter : str, default is Undefined, required
+        NotOnOrAfter defines the time after which the policy MUST NOT be granted.
+        Only granted if current date/time is before or equal to this value.
+    """
+
+
+    dayMonth?: str
+
+    dayMonthEnd?: str
+
+    hour?: str
+
+    hourEnd?: str
+
+    minute?: str
+
+    minuteEnd?: str
+
+    month?: str
+
+    monthEnd?: str
+
+    notBefore: str
+
+    notOnOrAfter: str
+
+
+schema V1EdpEpamComV1KeycloakClientSpecAuthorizationPoliciesItems0UserPolicy:
+    r"""
+    UserPolicy is a user policy settings.
+
+    Attributes
+    ----------
+    users : [str], default is Undefined, required
+        Users is a list of usernames. Specifies which user(s) are allowed by this policy.
+    """
+
+
+    users: [str]
+
+
+schema V1EdpEpamComV1KeycloakClientSpecProtocolMappersItems0:
+    r"""
+    v1 edp epam com v1 keycloak client spec protocol mappers items0
+
+    Attributes
+    ----------
+    config : {str:str}, default is Undefined, optional
+        Config is a map of protocol mapper configuration.
+    name : str, default is Undefined, optional
+        Name is a protocol mapper name.
+    $protocol : str, default is Undefined, optional
+        Protocol is a protocol name.
+    protocolMapper : str, default is Undefined, optional
+        ProtocolMapper is a protocol mapper name.
+    """
+
+
+    config?: {str:str}
+
+    name?: str
+
+    $protocol?: str
+
+    protocolMapper?: str
+
+
+schema V1EdpEpamComV1KeycloakClientSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakClientSpecRealmRolesItems0:
+    r"""
+    v1 edp epam com v1 keycloak client spec realm roles items0
+
+    Attributes
+    ----------
+    composite : str, default is Undefined, required
+        Composite is a realm composite role name.
+    name : str, default is Undefined, optional
+        Name is a realm role name.
+    """
+
+
+    composite: str
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakClientSpecServiceAccount:
+    r"""
+    ServiceAccount is a service account configuration.
+
+    Attributes
+    ----------
+    attributes : {str:str}, default is Undefined, optional
+        Attributes is a map of service account attributes.
+    clientRoles : [V1EdpEpamComV1KeycloakClientSpecServiceAccountClientRolesItems0], default is Undefined, optional
+        ClientRoles is a list of client roles assigned to service account.
+    enabled : bool, default is Undefined, optional
+        Enabled is a flag to enable service account.
+    realmRoles : [str], default is Undefined, optional
+        RealmRoles is a list of realm roles assigned to service account.
+    """
+
+
+    attributes?: {str:str}
+
+    clientRoles?: [V1EdpEpamComV1KeycloakClientSpecServiceAccountClientRolesItems0]
+
+    enabled?: bool
+
+    realmRoles?: [str]
+
+
+schema V1EdpEpamComV1KeycloakClientSpecServiceAccountClientRolesItems0:
+    r"""
+    v1 edp epam com v1 keycloak client spec service account client roles items0
+
+    Attributes
+    ----------
+    clientId : str, default is Undefined, required
+        ClientID is a client ID.
+    roles : [str], default is Undefined, optional
+        Roles is a list of client roles names assigned to service account.
+    """
+
+
+    clientId: str
+
+    roles?: [str]
+
+
+schema V1EdpEpamComV1KeycloakClientStatus:
+    r"""
+    KeycloakClientStatus defines the observed state of KeycloakClient.
+
+    Attributes
+    ----------
+    clientId : str, default is Undefined, optional
+        client Id
+    failureCount : int, default is Undefined, optional
+        failure count
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    clientId?: str
+
+    failureCount?: int
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_client_scope.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_client_scope.k
new file mode 100644
index 00000000..46ebea6f
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_client_scope.k
@@ -0,0 +1,146 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakClientScope:
+    r"""
+    KeycloakClientScope is the Schema for the keycloakclientscopes API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakClientScope", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakClientScopeSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakClientScopeStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakClientScope" = "KeycloakClientScope"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakClientScopeSpec
+
+    status?: V1EdpEpamComV1KeycloakClientScopeStatus
+
+
+schema V1EdpEpamComV1KeycloakClientScopeSpec:
+    r"""
+    KeycloakClientScopeSpec defines the desired state of KeycloakClientScope.
+
+    Attributes
+    ----------
+    attributes : {str:str}, default is Undefined, optional
+        Attributes is a map of client scope attributes.
+    default : bool, default is Undefined, optional
+        Default is a flag to set client scope as default.
+    description : str, default is Undefined, optional
+        Description is a description of client scope.
+    name : str, default is Undefined, required
+        Name of keycloak client scope.
+    $protocol : str, default is Undefined, required
+        Protocol is SSO protocol configuration which is being supplied by this client scope.
+    protocolMappers : [V1EdpEpamComV1KeycloakClientScopeSpecProtocolMappersItems0], default is Undefined, optional
+        ProtocolMappers is a list of protocol mappers assigned to client scope.
+    realm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        Realm is name of KeycloakRealm custom resource.
+    realmRef : V1EdpEpamComV1KeycloakClientScopeSpecRealmRef, default is Undefined, optional
+        realm ref
+    """
+
+
+    attributes?: {str:str}
+
+    default?: bool
+
+    description?: str
+
+    name: str
+
+    $protocol: str
+
+    protocolMappers?: [V1EdpEpamComV1KeycloakClientScopeSpecProtocolMappersItems0]
+
+    realm?: str
+
+    realmRef?: V1EdpEpamComV1KeycloakClientScopeSpecRealmRef
+
+
+schema V1EdpEpamComV1KeycloakClientScopeSpecProtocolMappersItems0:
+    r"""
+    v1 edp epam com v1 keycloak client scope spec protocol mappers items0
+
+    Attributes
+    ----------
+    config : {str:str}, default is Undefined, optional
+        Config is a map of protocol mapper configuration.
+    name : str, default is Undefined, optional
+        Name is a protocol mapper name.
+    $protocol : str, default is Undefined, optional
+        Protocol is a protocol name.
+    protocolMapper : str, default is Undefined, optional
+        ProtocolMapper is a protocol mapper name.
+    """
+
+
+    config?: {str:str}
+
+    name?: str
+
+    $protocol?: str
+
+    protocolMapper?: str
+
+
+schema V1EdpEpamComV1KeycloakClientScopeSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakClientScopeStatus:
+    r"""
+    KeycloakClientScopeStatus defines the observed state of KeycloakClientScope.
+
+    Attributes
+    ----------
+    failureCount : int, default is Undefined, optional
+        failure count
+    id : str, default is Undefined, optional
+        id
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    failureCount?: int
+
+    id?: str
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm.k
new file mode 100644
index 00000000..089163ab
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm.k
@@ -0,0 +1,294 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakRealm:
+    r"""
+    KeycloakRealm is the Schema for the keycloak realms API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakRealm", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakRealmSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakRealmStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakRealm" = "KeycloakRealm"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakRealmSpec
+
+    status?: V1EdpEpamComV1KeycloakRealmStatus
+
+
+schema V1EdpEpamComV1KeycloakRealmSpec:
+    r"""
+    KeycloakRealmSpec defines the desired state of KeycloakRealm.
+
+    Attributes
+    ----------
+    browserFlow : str, default is Undefined, optional
+        BrowserFlow specifies the authentication flow to use for the realm's browser clients.
+    browserSecurityHeaders : {str:str}, default is Undefined, optional
+        BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients.
+    displayHtmlName : str, default is Undefined, optional
+        DisplayHTMLName name to render in the UI
+    displayName : str, default is Undefined, optional
+        DisplayName is the display name of the realm.
+    frontendUrl : str, default is Undefined, optional
+        FrontendURL Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.
+    id : str, default is Undefined, optional
+        ID is the ID of the realm.
+    keycloakOwner : str, default is Undefined, optional
+        Deprecated: use KeycloakRef instead.
+        KeycloakOwner specifies the name of the Keycloak instance that owns the realm.
+    keycloakRef : V1EdpEpamComV1KeycloakRealmSpecKeycloakRef, default is Undefined, optional
+        keycloak ref
+    passwordPolicy : [V1EdpEpamComV1KeycloakRealmSpecPasswordPolicyItems0], default is Undefined, optional
+        PasswordPolicies is a list of password policies to apply to the realm.
+    realmEventConfig : V1EdpEpamComV1KeycloakRealmSpecRealmEventConfig, default is Undefined, optional
+        realm event config
+    realmName : str, default is Undefined, required
+        RealmName specifies the name of the realm.
+    themes : V1EdpEpamComV1KeycloakRealmSpecThemes, default is Undefined, optional
+        themes
+    tokenSettings : V1EdpEpamComV1KeycloakRealmSpecTokenSettings, default is Undefined, optional
+        token settings
+    users : [V1EdpEpamComV1KeycloakRealmSpecUsersItems0], default is Undefined, optional
+        Users is a list of users to create in the realm.
+    """
+
+
+    browserFlow?: str
+
+    browserSecurityHeaders?: {str:str}
+
+    displayHtmlName?: str
+
+    displayName?: str
+
+    frontendUrl?: str
+
+    id?: str
+
+    keycloakOwner?: str
+
+    keycloakRef?: V1EdpEpamComV1KeycloakRealmSpecKeycloakRef
+
+    passwordPolicy?: [V1EdpEpamComV1KeycloakRealmSpecPasswordPolicyItems0]
+
+    realmEventConfig?: V1EdpEpamComV1KeycloakRealmSpecRealmEventConfig
+
+    realmName: str
+
+    themes?: V1EdpEpamComV1KeycloakRealmSpecThemes
+
+    tokenSettings?: V1EdpEpamComV1KeycloakRealmSpecTokenSettings
+
+    users?: [V1EdpEpamComV1KeycloakRealmSpecUsersItems0]
+
+
+schema V1EdpEpamComV1KeycloakRealmSpecKeycloakRef:
+    r"""
+    KeycloakRef is reference to Keycloak custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "Keycloak" | "ClusterKeycloak"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmSpecPasswordPolicyItems0:
+    r"""
+    v1 edp epam com v1 keycloak realm spec password policy items0
+
+    Attributes
+    ----------
+    $type : str, default is Undefined, required
+        Type of password policy.
+    value : str, default is Undefined, required
+        Value of password policy.
+    """
+
+
+    $type: str
+
+    value: str
+
+
+schema V1EdpEpamComV1KeycloakRealmSpecRealmEventConfig:
+    r"""
+    RealmEventConfig is the configuration for events in the realm.
+
+    Attributes
+    ----------
+    adminEventsDetailsEnabled : bool, default is Undefined, optional
+        AdminEventsDetailsEnabled indicates whether to enable detailed admin events.
+    adminEventsEnabled : bool, default is Undefined, optional
+        AdminEventsEnabled indicates whether to enable admin events.
+    enabledEventTypes : [str], default is Undefined, optional
+        EnabledEventTypes is a list of event types to enable.
+    eventsEnabled : bool, default is Undefined, optional
+        EventsEnabled indicates whether to enable events.
+    eventsExpiration : int, default is Undefined, optional
+        EventsExpiration is the number of seconds after which events expire.
+    eventsListeners : [str], default is Undefined, optional
+        EventsListeners is a list of event listeners to enable.
+    """
+
+
+    adminEventsDetailsEnabled?: bool
+
+    adminEventsEnabled?: bool
+
+    enabledEventTypes?: [str]
+
+    eventsEnabled?: bool
+
+    eventsExpiration?: int
+
+    eventsListeners?: [str]
+
+
+schema V1EdpEpamComV1KeycloakRealmSpecThemes:
+    r"""
+    Themes is a map of themes to apply to the realm.
+
+    Attributes
+    ----------
+    accountTheme : str, default is Undefined, optional
+        AccountTheme specifies the account theme to use for the realm.
+    adminConsoleTheme : str, default is Undefined, optional
+        AdminConsoleTheme specifies the admin console theme to use for the realm.
+    emailTheme : str, default is Undefined, optional
+        EmailTheme specifies the email theme to use for the realm.
+    internationalizationEnabled : bool, default is Undefined, optional
+        InternationalizationEnabled indicates whether to enable internationalization.
+    loginTheme : str, default is Undefined, optional
+        LoginTheme specifies the login theme to use for the realm.
+    """
+
+
+    accountTheme?: str
+
+    adminConsoleTheme?: str
+
+    emailTheme?: str
+
+    internationalizationEnabled?: bool
+
+    loginTheme?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmSpecTokenSettings:
+    r"""
+    TokenSettings is the configuration for tokens in the realm.
+
+    Attributes
+    ----------
+    accessCodeLifespan : int, default is 60, optional
+        AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.
+        This should normally be 1 minute.
+    accessToken : int, default is 900, optional
+        AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow.
+    accessTokenLifespan : int, default is 300, optional
+        AccessTokenLifespan specifies max time(in seconds) before an access token is expired.
+        This value is recommended to be short relative to the SSO timeout.
+    actionTokenGeneratedByAdminLifespan : int, default is 43200, optional
+        ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.
+        This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.
+        The default timeout can be overridden immediately before issuing the token.
+    actionTokenGeneratedByUserLifespan : int, default is 300, optional
+        AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.
+        This value is recommended to be short because it's expected that the user would react to self-created action quickly.
+    defaultSignatureAlgorithm : str, default is "RS256", optional
+        DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm
+    refreshTokenMaxReuse : int, default is Undefined, optional
+        RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.
+        When a different token is used, revocation is immediate.
+    revokeRefreshToken : bool, default is Undefined, optional
+        RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and
+        is revoked when a different token is used.
+        Otherwise, refresh tokens are not revoked when used and can be used multiple times.
+    """
+
+
+    accessCodeLifespan?: int = 60
+
+    accessToken?: int = 900
+
+    accessTokenLifespan?: int = 300
+
+    actionTokenGeneratedByAdminLifespan?: int = 43200
+
+    actionTokenGeneratedByUserLifespan?: int = 300
+
+    defaultSignatureAlgorithm?: "ES256" | "ES384" | "ES512" | "EdDSA" | "HS256" | "HS384" | "HS512" | "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" = "RS256"
+
+    refreshTokenMaxReuse?: int = 0
+
+    revokeRefreshToken?: bool = False
+
+
+schema V1EdpEpamComV1KeycloakRealmSpecUsersItems0:
+    r"""
+    v1 edp epam com v1 keycloak realm spec users items0
+
+    Attributes
+    ----------
+    realmRoles : [str], default is Undefined, optional
+        RealmRoles is a list of roles attached to keycloak user.
+    username : str, default is Undefined, required
+        Username of keycloak user.
+    """
+
+
+    realmRoles?: [str]
+
+    username: str
+
+
+schema V1EdpEpamComV1KeycloakRealmStatus:
+    r"""
+    KeycloakRealmStatus defines the observed state of KeycloakRealm.
+
+    Attributes
+    ----------
+    available : bool, default is Undefined, optional
+        available
+    failureCount : int, default is Undefined, optional
+        failure count
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    available?: bool
+
+    failureCount?: int
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_component.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_component.k
new file mode 100644
index 00000000..7611e991
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_component.k
@@ -0,0 +1,134 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakRealmComponent:
+    r"""
+    KeycloakRealmComponent is the Schema for the keycloak component API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakRealmComponent", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakRealmComponentSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakRealmComponentStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakRealmComponent" = "KeycloakRealmComponent"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakRealmComponentSpec
+
+    status?: V1EdpEpamComV1KeycloakRealmComponentStatus
+
+
+schema V1EdpEpamComV1KeycloakRealmComponentSpec:
+    r"""
+    KeycloakComponentSpec defines the desired state of KeycloakRealmComponent.
+
+    Attributes
+    ----------
+    config : {str:[str]}, default is Undefined, optional
+        Config is a map of component configuration.
+        Map key is a name of configuration property, map value is an array value of configuration properties.
+        Any configuration property can be a reference to k8s secret, in this case the property should be in format $secretName:secretKey.
+    name : str, default is Undefined, required
+        Name of keycloak component.
+    parentRef : V1EdpEpamComV1KeycloakRealmComponentSpecParentRef, default is Undefined, optional
+        parent ref
+    providerId : str, default is Undefined, required
+        ProviderID is a provider ID of component.
+    providerType : str, default is Undefined, required
+        ProviderType is a provider type of component.
+    realm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        Realm is name of KeycloakRealm custom resource.
+    realmRef : V1EdpEpamComV1KeycloakRealmComponentSpecRealmRef, default is Undefined, optional
+        realm ref
+    """
+
+
+    config?: {str:[str]}
+
+    name: str
+
+    parentRef?: V1EdpEpamComV1KeycloakRealmComponentSpecParentRef
+
+    providerId: str
+
+    providerType: str
+
+    realm?: str
+
+    realmRef?: V1EdpEpamComV1KeycloakRealmComponentSpecRealmRef
+
+
+schema V1EdpEpamComV1KeycloakRealmComponentSpecParentRef:
+    r"""
+    ParentRef specifies a parent resource.
+    If not specified, then parent is realm specified in realm field.
+
+    Attributes
+    ----------
+    kind : str, default is "KeycloakRealm", optional
+        Kind is a kind of parent component. By default, it is KeycloakRealm.
+    name : str, default is Undefined, required
+        Name is a name of parent component custom resource.
+        For example, if Kind is KeycloakRealm, then Name is name of KeycloakRealm custom resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "KeycloakRealmComponent" = "KeycloakRealm"
+
+    name: str
+
+
+schema V1EdpEpamComV1KeycloakRealmComponentSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmComponentStatus:
+    r"""
+    KeycloakComponentStatus defines the observed state of KeycloakRealmComponent.
+
+    Attributes
+    ----------
+    failureCount : int, default is Undefined, optional
+        failure count
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    failureCount?: int
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_group.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_group.k
new file mode 100644
index 00000000..a271cacb
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_group.k
@@ -0,0 +1,142 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakRealmGroup:
+    r"""
+    KeycloakRealmGroup is the Schema for the keycloak group API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakRealmGroup", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakRealmGroupSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakRealmGroupStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakRealmGroup" = "KeycloakRealmGroup"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakRealmGroupSpec
+
+    status?: V1EdpEpamComV1KeycloakRealmGroupStatus
+
+
+schema V1EdpEpamComV1KeycloakRealmGroupSpec:
+    r"""
+    KeycloakRealmGroupSpec defines the desired state of KeycloakRealmGroup.
+
+    Attributes
+    ----------
+    access : {str:bool}, default is Undefined, optional
+        Access is a map of group access.
+    attributes : {str:[str]}, default is Undefined, optional
+        Attributes is a map of group attributes.
+    clientRoles : [V1EdpEpamComV1KeycloakRealmGroupSpecClientRolesItems0], default is Undefined, optional
+        ClientRoles is a list of client roles assigned to group.
+    name : str, default is Undefined, required
+        Name of keycloak group.
+    path : str, default is Undefined, optional
+        Path is a group path.
+    realm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        Realm is name of KeycloakRealm custom resource.
+    realmRef : V1EdpEpamComV1KeycloakRealmGroupSpecRealmRef, default is Undefined, optional
+        realm ref
+    realmRoles : [str], default is Undefined, optional
+        RealmRoles is a list of realm roles assigned to group.
+    subGroups : [str], default is Undefined, optional
+        SubGroups is a list of subgroups assigned to group.
+    """
+
+
+    access?: {str:bool}
+
+    attributes?: {str:[str]}
+
+    clientRoles?: [V1EdpEpamComV1KeycloakRealmGroupSpecClientRolesItems0]
+
+    name: str
+
+    path?: str
+
+    realm?: str
+
+    realmRef?: V1EdpEpamComV1KeycloakRealmGroupSpecRealmRef
+
+    realmRoles?: [str]
+
+    subGroups?: [str]
+
+
+schema V1EdpEpamComV1KeycloakRealmGroupSpecClientRolesItems0:
+    r"""
+    v1 edp epam com v1 keycloak realm group spec client roles items0
+
+    Attributes
+    ----------
+    clientId : str, default is Undefined, required
+        ClientID is a client ID.
+    roles : [str], default is Undefined, optional
+        Roles is a list of client roles names assigned to service account.
+    """
+
+
+    clientId: str
+
+    roles?: [str]
+
+
+schema V1EdpEpamComV1KeycloakRealmGroupSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmGroupStatus:
+    r"""
+    KeycloakRealmGroupStatus defines the observed state of KeycloakRealmGroup.
+
+    Attributes
+    ----------
+    failureCount : int, default is Undefined, optional
+        failure count
+    id : str, default is Undefined, optional
+        ID is a group ID.
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    failureCount?: int
+
+    id?: str
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_identity_provider.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_identity_provider.k
new file mode 100644
index 00000000..e59361d8
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_identity_provider.k
@@ -0,0 +1,168 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakRealmIdentityProvider:
+    r"""
+    KeycloakRealmIdentityProvider is the Schema for the keycloak realm identity provider API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakRealmIdentityProvider", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakRealmIdentityProviderSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakRealmIdentityProviderStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakRealmIdentityProvider" = "KeycloakRealmIdentityProvider"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakRealmIdentityProviderSpec
+
+    status?: V1EdpEpamComV1KeycloakRealmIdentityProviderStatus
+
+
+schema V1EdpEpamComV1KeycloakRealmIdentityProviderSpec:
+    r"""
+    KeycloakRealmIdentityProviderSpec defines the desired state of KeycloakRealmIdentityProvider.
+
+    Attributes
+    ----------
+    addReadTokenRoleOnCreate : bool, default is Undefined, optional
+        AddReadTokenRoleOnCreate is a flag to add read token role on create.
+    alias : str, default is Undefined, required
+        Alias is a alias of identity provider.
+    authenticateByDefault : bool, default is Undefined, optional
+        AuthenticateByDefault is a flag to authenticate by default.
+    config : {str:str}, default is Undefined, required
+        Config is a map of identity provider configuration.
+        Map key is a name of configuration property, map value is a value of configuration property.
+        Any value can be a reference to k8s secret, in this case value should be in format $secretName:secretKey.
+    displayName : str, default is Undefined, optional
+        DisplayName is a display name of identity provider.
+    enabled : bool, default is Undefined, required
+        Enabled is a flag to enable/disable identity provider.
+    firstBrokerLoginFlowAlias : str, default is Undefined, optional
+        FirstBrokerLoginFlowAlias is a first broker login flow alias.
+    linkOnly : bool, default is Undefined, optional
+        LinkOnly is a flag to link only.
+    mappers : [V1EdpEpamComV1KeycloakRealmIdentityProviderSpecMappersItems0], default is Undefined, optional
+        Mappers is a list of identity provider mappers.
+    providerId : str, default is Undefined, required
+        ProviderID is a provider ID of identity provider.
+    realm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        Realm is name of KeycloakRealm custom resource.
+    realmRef : V1EdpEpamComV1KeycloakRealmIdentityProviderSpecRealmRef, default is Undefined, optional
+        realm ref
+    storeToken : bool, default is Undefined, optional
+        StoreToken is a flag to store token.
+    trustEmail : bool, default is Undefined, optional
+        TrustEmail is a flag to trust email.
+    """
+
+
+    addReadTokenRoleOnCreate?: bool
+
+    alias: str
+
+    authenticateByDefault?: bool
+
+    config: {str:str}
+
+    displayName?: str
+
+    enabled: bool
+
+    firstBrokerLoginFlowAlias?: str
+
+    linkOnly?: bool
+
+    mappers?: [V1EdpEpamComV1KeycloakRealmIdentityProviderSpecMappersItems0]
+
+    providerId: str
+
+    realm?: str
+
+    realmRef?: V1EdpEpamComV1KeycloakRealmIdentityProviderSpecRealmRef
+
+    storeToken?: bool
+
+    trustEmail?: bool
+
+
+schema V1EdpEpamComV1KeycloakRealmIdentityProviderSpecMappersItems0:
+    r"""
+    v1 edp epam com v1 keycloak realm identity provider spec mappers items0
+
+    Attributes
+    ----------
+    config : {str:str}, default is Undefined, optional
+        Config is a map of identity provider mapper configuration.
+    identityProviderAlias : str, default is Undefined, optional
+        IdentityProviderAlias is a identity provider alias.
+    identityProviderMapper : str, default is Undefined, optional
+        IdentityProviderMapper is a identity provider mapper.
+    name : str, default is Undefined, optional
+        Name is a name of identity provider mapper.
+    """
+
+
+    config?: {str:str}
+
+    identityProviderAlias?: str
+
+    identityProviderMapper?: str
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmIdentityProviderSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmIdentityProviderStatus:
+    r"""
+    KeycloakRealmIdentityProviderStatus defines the observed state of KeycloakRealmIdentityProvider.
+
+    Attributes
+    ----------
+    failureCount : int, default is Undefined, optional
+        failure count
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    failureCount?: int
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_role.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_role.k
new file mode 100644
index 00000000..823ac288
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_role.k
@@ -0,0 +1,152 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakRealmRole:
+    r"""
+    KeycloakRealmRole is the Schema for the keycloak group API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakRealmRole", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakRealmRoleSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakRealmRoleStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakRealmRole" = "KeycloakRealmRole"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakRealmRoleSpec
+
+    status?: V1EdpEpamComV1KeycloakRealmRoleStatus
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleSpec:
+    r"""
+    KeycloakRealmRoleSpec defines the desired state of KeycloakRealmRole.
+
+    Attributes
+    ----------
+    attributes : {str:[str]}, default is Undefined, optional
+        Attributes is a map of role attributes.
+    composite : bool, default is Undefined, optional
+        Composite is a flag if role is composite.
+    composites : [V1EdpEpamComV1KeycloakRealmRoleSpecCompositesItems0], default is Undefined, optional
+        Composites is a list of composites roles assigned to role.
+    compositesClientRoles : {str:[V1EdpEpamComV1KeycloakRealmRoleSpecCompositesClientRolesItems0]}, default is Undefined, optional
+        CompositesClientRoles is a map of composites client roles assigned to role.
+    description : str, default is Undefined, optional
+        Description is a role description.
+    isDefault : bool, default is Undefined, optional
+        IsDefault is a flag if role is default.
+    name : str, default is Undefined, required
+        Name of keycloak role.
+    realm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        Realm is name of KeycloakRealm custom resource.
+    realmRef : V1EdpEpamComV1KeycloakRealmRoleSpecRealmRef, default is Undefined, optional
+        realm ref
+    """
+
+
+    attributes?: {str:[str]}
+
+    composite?: bool
+
+    composites?: [V1EdpEpamComV1KeycloakRealmRoleSpecCompositesItems0]
+
+    compositesClientRoles?: {str:[V1EdpEpamComV1KeycloakRealmRoleSpecCompositesClientRolesItems0]}
+
+    description?: str
+
+    isDefault?: bool
+
+    name: str
+
+    realm?: str
+
+    realmRef?: V1EdpEpamComV1KeycloakRealmRoleSpecRealmRef
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleSpecCompositesClientRolesItems0:
+    r"""
+    v1 edp epam com v1 keycloak realm role spec composites client roles items0
+
+    Attributes
+    ----------
+    name : str, default is Undefined, required
+        Name is a name of composite role.
+    """
+
+
+    name: str
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleSpecCompositesItems0:
+    r"""
+    v1 edp epam com v1 keycloak realm role spec composites items0
+
+    Attributes
+    ----------
+    name : str, default is Undefined, required
+        Name is a name of composite role.
+    """
+
+
+    name: str
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleStatus:
+    r"""
+    KeycloakRealmRoleStatus defines the observed state of KeycloakRealmRole.
+
+    Attributes
+    ----------
+    failureCount : int, default is Undefined, optional
+        failure count
+    id : str, default is Undefined, optional
+        ID is a role ID.
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    failureCount?: int
+
+    id?: str
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_role_batch.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_role_batch.k
new file mode 100644
index 00000000..87e7be90
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_role_batch.k
@@ -0,0 +1,144 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakRealmRoleBatch:
+    r"""
+    KeycloakRealmRoleBatch is the Schema for the keycloak roles API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakRealmRoleBatch", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakRealmRoleBatchSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakRealmRoleBatchStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakRealmRoleBatch" = "KeycloakRealmRoleBatch"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakRealmRoleBatchSpec
+
+    status?: V1EdpEpamComV1KeycloakRealmRoleBatchStatus
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleBatchSpec:
+    r"""
+    KeycloakRealmRoleBatchSpec defines the desired state of KeycloakRealmRoleBatch.
+
+    Attributes
+    ----------
+    realm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        Realm is name of KeycloakRealm custom resource.
+    realmRef : V1EdpEpamComV1KeycloakRealmRoleBatchSpecRealmRef, default is Undefined, optional
+        realm ref
+    roles : [V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0], default is Undefined, required
+        Roles is a list of roles to be created.
+    """
+
+
+    realm?: str
+
+    realmRef?: V1EdpEpamComV1KeycloakRealmRoleBatchSpecRealmRef
+
+    roles: [V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0]
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleBatchSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0:
+    r"""
+    v1 edp epam com v1 keycloak realm role batch spec roles items0
+
+    Attributes
+    ----------
+    attributes : {str:[str]}, default is Undefined, optional
+        Attributes is a map of role attributes.
+    composite : bool, default is Undefined, optional
+        Composite is a flag if role is composite.
+    composites : [V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0CompositesItems0], default is Undefined, optional
+        Composites is a list of composites roles assigned to role.
+    description : str, default is Undefined, optional
+        Description is a role description.
+    isDefault : bool, default is Undefined, optional
+        IsDefault is a flag if role is default.
+    name : str, default is Undefined, required
+        Name of keycloak role.
+    """
+
+
+    attributes?: {str:[str]}
+
+    composite?: bool
+
+    composites?: [V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0CompositesItems0]
+
+    description?: str
+
+    isDefault?: bool
+
+    name: str
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleBatchSpecRolesItems0CompositesItems0:
+    r"""
+    v1 edp epam com v1 keycloak realm role batch spec roles items0 composites items0
+
+    Attributes
+    ----------
+    name : str, default is Undefined, required
+        Name is a name of composite role.
+    """
+
+
+    name: str
+
+
+schema V1EdpEpamComV1KeycloakRealmRoleBatchStatus:
+    r"""
+    KeycloakRealmRoleBatchStatus defines the observed state of KeycloakRealmRoleBatch.
+
+    Attributes
+    ----------
+    failureCount : int, default is Undefined, optional
+        failure count
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    failureCount?: int
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_user.k b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_user.k
new file mode 100644
index 00000000..eb267f20
--- /dev/null
+++ b/edp-keycloak-operator/v1/v1_edp_epam_com_v1_keycloak_realm_user.k
@@ -0,0 +1,170 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema KeycloakRealmUser:
+    r"""
+    KeycloakRealmUser is the Schema for the keycloak user API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "KeycloakRealmUser", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1KeycloakRealmUserSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1KeycloakRealmUserStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1" = "v1.edp.epam.com/v1"
+
+    kind: "KeycloakRealmUser" = "KeycloakRealmUser"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1KeycloakRealmUserSpec
+
+    status?: V1EdpEpamComV1KeycloakRealmUserStatus
+
+
+schema V1EdpEpamComV1KeycloakRealmUserSpec:
+    r"""
+    KeycloakRealmUserSpec defines the desired state of KeycloakRealmUser.
+
+    Attributes
+    ----------
+    attributes : {str:str}, default is Undefined, optional
+        Attributes is a map of user attributes.
+    email : str, default is Undefined, optional
+        Email is a user email.
+    emailVerified : bool, default is Undefined, optional
+        EmailVerified is a user email verified flag.
+    enabled : bool, default is Undefined, optional
+        Enabled is a user enabled flag.
+    firstName : str, default is Undefined, optional
+        FirstName is a user first name.
+    groups : [str], default is Undefined, optional
+        Groups is a list of groups assigned to user.
+    keepResource : bool, default is True, optional
+        KeepResource, when set to false, results in the deletion of the KeycloakRealmUser Custom Resource (CR)
+        from the cluster after the corresponding user is created in Keycloak. The user will continue to exist in Keycloak.
+        When set to true, the CR will not be deleted after processing.
+    lastName : str, default is Undefined, optional
+        LastName is a user last name.
+    password : str, default is Undefined, optional
+        Password is a user password. Allows to keep user password within Custom Resource. For security concerns, it is recommended to use PasswordSecret instead.
+    passwordSecret : V1EdpEpamComV1KeycloakRealmUserSpecPasswordSecret, default is Undefined, optional
+        password secret
+    realm : str, default is Undefined, optional
+        Deprecated: use RealmRef instead.
+        Realm is name of KeycloakRealm custom resource.
+    realmRef : V1EdpEpamComV1KeycloakRealmUserSpecRealmRef, default is Undefined, optional
+        realm ref
+    reconciliationStrategy : str, default is Undefined, optional
+        ReconciliationStrategy is a strategy for reconciliation. Possible values: full, create-only.
+        Default value: full. If set to create-only, user will be created only if it does not exist. If user exists, it will not be updated.
+        If set to full, user will be created if it does not exist, or updated if it exists.
+    requiredUserActions : [str], default is Undefined, optional
+        RequiredUserActions is required action when user log in, example: CONFIGURE_TOTP, UPDATE_PASSWORD, UPDATE_PROFILE, VERIFY_EMAIL.
+    roles : [str], default is Undefined, optional
+        Roles is a list of roles assigned to user.
+    username : str, default is Undefined, required
+        Username is a username in keycloak.
+    """
+
+
+    attributes?: {str:str}
+
+    email?: str
+
+    emailVerified?: bool
+
+    enabled?: bool
+
+    firstName?: str
+
+    groups?: [str]
+
+    keepResource?: bool = True
+
+    lastName?: str
+
+    password?: str
+
+    passwordSecret?: V1EdpEpamComV1KeycloakRealmUserSpecPasswordSecret
+
+    realm?: str
+
+    realmRef?: V1EdpEpamComV1KeycloakRealmUserSpecRealmRef
+
+    reconciliationStrategy?: str
+
+    requiredUserActions?: [str]
+
+    roles?: [str]
+
+    username: str
+
+
+schema V1EdpEpamComV1KeycloakRealmUserSpecPasswordSecret:
+    r"""
+    PasswordSecret defines Kubernetes secret Name and Key, which holds User secret.
+
+    Attributes
+    ----------
+    key : str, default is Undefined, required
+        Key is the key in the secret.
+    name : str, default is Undefined, required
+        Name is the name of the secret.
+    """
+
+
+    key: str
+
+    name: str
+
+
+schema V1EdpEpamComV1KeycloakRealmUserSpecRealmRef:
+    r"""
+    RealmRef is reference to Realm custom resource.
+
+    Attributes
+    ----------
+    kind : str, default is Undefined, optional
+        Kind specifies the kind of the Keycloak resource.
+    name : str, default is Undefined, optional
+        Name specifies the name of the Keycloak resource.
+    """
+
+
+    kind?: "KeycloakRealm" | "ClusterKeycloakRealm"
+
+    name?: str
+
+
+schema V1EdpEpamComV1KeycloakRealmUserStatus:
+    r"""
+    KeycloakRealmUserStatus defines the observed state of KeycloakRealmUser.
+
+    Attributes
+    ----------
+    failureCount : int, default is Undefined, optional
+        failure count
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    failureCount?: int
+
+    value?: str
+
+
diff --git a/edp-keycloak-operator/v1alpha1/v1_edp_epam_com_v1alpha1_cluster_keycloak.k b/edp-keycloak-operator/v1alpha1/v1_edp_epam_com_v1alpha1_cluster_keycloak.k
new file mode 100644
index 00000000..c72aec7b
--- /dev/null
+++ b/edp-keycloak-operator/v1alpha1/v1_edp_epam_com_v1alpha1_cluster_keycloak.k
@@ -0,0 +1,145 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema ClusterKeycloak:
+    r"""
+    ClusterKeycloak is the Schema for the clusterkeycloaks API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1alpha1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "ClusterKeycloak", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1alpha1ClusterKeycloakSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1alpha1ClusterKeycloakStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1alpha1" = "v1.edp.epam.com/v1alpha1"
+
+    kind: "ClusterKeycloak" = "ClusterKeycloak"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1alpha1ClusterKeycloakSpec
+
+    status?: V1EdpEpamComV1alpha1ClusterKeycloakStatus
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakSpec:
+    r"""
+    ClusterKeycloakSpec defines the desired state of ClusterKeycloak.
+
+    Attributes
+    ----------
+    adminType : str, default is "user", optional
+        AdminType can be user or serviceAccount, if serviceAccount was specified,
+        then client_credentials grant type should be used for getting admin realm token.
+    caCert : V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCert, default is Undefined, optional
+        ca cert
+    insecureSkipVerify : bool, default is Undefined, optional
+        InsecureSkipVerify controls whether api client verifies the server's
+        certificate chain and host name. If InsecureSkipVerify is true, api client
+        accepts any certificate presented by the server and any host name in that
+        certificate.
+    secret : str, default is Undefined, required
+        Secret is a secret name which contains admin credentials.
+    url : str, default is Undefined, required
+        URL of keycloak service.
+    """
+
+
+    adminType?: "serviceAccount" | "user" = "user"
+
+    caCert?: V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCert
+
+    insecureSkipVerify?: bool
+
+    secret: str
+
+    url: str
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCert:
+    r"""
+    CACert defines the root certificate authority
+    that api clients use when verifying server certificates.
+    Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env.
+
+    Attributes
+    ----------
+    configMapKeyRef : V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertConfigMapKeyRef, default is Undefined, optional
+        config map key ref
+    secretKeyRef : V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertSecretKeyRef, default is Undefined, optional
+        secret key ref
+    """
+
+
+    configMapKeyRef?: V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertConfigMapKeyRef
+
+    secretKeyRef?: V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertSecretKeyRef
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertConfigMapKeyRef:
+    r"""
+    Selects a key of a ConfigMap.
+
+    Attributes
+    ----------
+    key : str, default is Undefined, required
+        The key to select.
+    name : str, default is Undefined, optional
+        Name of the referent.
+        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+        TODO: Add other useful fields. apiVersion, kind, uid?
+    """
+
+
+    key: str
+
+    name?: str
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakSpecCaCertSecretKeyRef:
+    r"""
+    Selects a key of a secret.
+
+    Attributes
+    ----------
+    key : str, default is Undefined, required
+        The key of the secret to select from.
+    name : str, default is Undefined, optional
+        Name of the referent.
+        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+        TODO: Add other useful fields. apiVersion, kind, uid?
+    """
+
+
+    key: str
+
+    name?: str
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakStatus:
+    r"""
+    ClusterKeycloakStatus defines the observed state of ClusterKeycloak.
+
+    Attributes
+    ----------
+    connected : bool, default is Undefined, required
+        Connected shows if keycloak service is up and running.
+    """
+
+
+    connected: bool
+
+
diff --git a/edp-keycloak-operator/v1alpha1/v1_edp_epam_com_v1alpha1_cluster_keycloak_realm.k b/edp-keycloak-operator/v1alpha1/v1_edp_epam_com_v1alpha1_cluster_keycloak_realm.k
new file mode 100644
index 00000000..3cb6e2ee
--- /dev/null
+++ b/edp-keycloak-operator/v1alpha1/v1_edp_epam_com_v1alpha1_cluster_keycloak_realm.k
@@ -0,0 +1,274 @@
+"""
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import k8s.apimachinery.pkg.apis.meta.v1
+
+
+schema ClusterKeycloakRealm:
+    r"""
+    ClusterKeycloakRealm is the Schema for the clusterkeycloakrealms API.
+
+    Attributes
+    ----------
+    apiVersion : str, default is "v1.edp.epam.com/v1alpha1", required
+        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+    kind : str, default is "ClusterKeycloakRealm", required
+        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    metadata : v1.ObjectMeta, default is Undefined, optional
+        metadata
+    spec : V1EdpEpamComV1alpha1ClusterKeycloakRealmSpec, default is Undefined, optional
+        spec
+    status : V1EdpEpamComV1alpha1ClusterKeycloakRealmStatus, default is Undefined, optional
+        status
+    """
+
+
+    apiVersion: "v1.edp.epam.com/v1alpha1" = "v1.edp.epam.com/v1alpha1"
+
+    kind: "ClusterKeycloakRealm" = "ClusterKeycloakRealm"
+
+    metadata?: v1.ObjectMeta
+
+    spec?: V1EdpEpamComV1alpha1ClusterKeycloakRealmSpec
+
+    status?: V1EdpEpamComV1alpha1ClusterKeycloakRealmStatus
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakRealmSpec:
+    r"""
+    ClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm.
+
+    Attributes
+    ----------
+    authenticationFlows : V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecAuthenticationFlows, default is Undefined, optional
+        authentication flows
+    browserSecurityHeaders : {str:str}, default is Undefined, optional
+        BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients.
+    clusterKeycloakRef : str, default is Undefined, required
+        ClusterKeycloakRef is a name of the ClusterKeycloak instance that owns the realm.
+    displayHtmlName : str, default is Undefined, optional
+        DisplayHTMLName name to render in the UI.
+    displayName : str, default is Undefined, optional
+        DisplayName is the display name of the realm.
+    frontendUrl : str, default is Undefined, optional
+        FrontendURL Set the frontend URL for the realm.
+        Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.
+    localization : V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecLocalization, default is Undefined, optional
+        localization
+    passwordPolicy : [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecPasswordPolicyItems0], default is Undefined, optional
+        PasswordPolicies is a list of password policies to apply to the realm.
+    realmEventConfig : V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecRealmEventConfig, default is Undefined, optional
+        realm event config
+    realmName : str, default is Undefined, required
+        RealmName specifies the name of the realm.
+    themes : V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecThemes, default is Undefined, optional
+        themes
+    tokenSettings : V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecTokenSettings, default is Undefined, optional
+        token settings
+    """
+
+
+    authenticationFlows?: V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecAuthenticationFlows
+
+    browserSecurityHeaders?: {str:str}
+
+    clusterKeycloakRef: str
+
+    displayHtmlName?: str
+
+    displayName?: str
+
+    frontendUrl?: str
+
+    localization?: V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecLocalization
+
+    passwordPolicy?: [V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecPasswordPolicyItems0]
+
+    realmEventConfig?: V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecRealmEventConfig
+
+    realmName: str
+
+    themes?: V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecThemes
+
+    tokenSettings?: V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecTokenSettings
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecAuthenticationFlows:
+    r"""
+    AuthenticationFlow is the configuration for authentication flows in the realm.
+
+    Attributes
+    ----------
+    browserFlow : str, default is Undefined, optional
+        BrowserFlow specifies the authentication flow to use for the realm's browser clients.
+    """
+
+
+    browserFlow?: str
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecLocalization:
+    r"""
+    Localization is the configuration for localization in the realm.
+
+    Attributes
+    ----------
+    internationalizationEnabled : bool, default is Undefined, optional
+        InternationalizationEnabled indicates whether to enable internationalization.
+    """
+
+
+    internationalizationEnabled?: bool
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecPasswordPolicyItems0:
+    r"""
+    v1 edp epam com v1alpha1 cluster keycloak realm spec password policy items0
+
+    Attributes
+    ----------
+    $type : str, default is Undefined, required
+        Type of password policy.
+    value : str, default is Undefined, required
+        Value of password policy.
+    """
+
+
+    $type: str
+
+    value: str
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecRealmEventConfig:
+    r"""
+    RealmEventConfig is the configuration for events in the realm.
+
+    Attributes
+    ----------
+    adminEventsDetailsEnabled : bool, default is Undefined, optional
+        AdminEventsDetailsEnabled indicates whether to enable detailed admin events.
+    adminEventsEnabled : bool, default is Undefined, optional
+        AdminEventsEnabled indicates whether to enable admin events.
+    enabledEventTypes : [str], default is Undefined, optional
+        EnabledEventTypes is a list of event types to enable.
+    eventsEnabled : bool, default is Undefined, optional
+        EventsEnabled indicates whether to enable events.
+    eventsExpiration : int, default is Undefined, optional
+        EventsExpiration is the number of seconds after which events expire.
+    eventsListeners : [str], default is Undefined, optional
+        EventsListeners is a list of event listeners to enable.
+    """
+
+
+    adminEventsDetailsEnabled?: bool
+
+    adminEventsEnabled?: bool
+
+    enabledEventTypes?: [str]
+
+    eventsEnabled?: bool
+
+    eventsExpiration?: int
+
+    eventsListeners?: [str]
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecThemes:
+    r"""
+    Themes is a map of themes to apply to the realm.
+
+    Attributes
+    ----------
+    accountTheme : str, default is Undefined, optional
+        AccountTheme specifies the account theme to use for the realm.
+    adminConsoleTheme : str, default is Undefined, optional
+        AdminConsoleTheme specifies the admin console theme to use for the realm.
+    emailTheme : str, default is Undefined, optional
+        EmailTheme specifies the email theme to use for the realm.
+    loginTheme : str, default is Undefined, optional
+        LoginTheme specifies the login theme to use for the realm.
+    """
+
+
+    accountTheme?: str
+
+    adminConsoleTheme?: str
+
+    emailTheme?: str
+
+    loginTheme?: str
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakRealmSpecTokenSettings:
+    r"""
+    TokenSettings is the configuration for tokens in the realm.
+
+    Attributes
+    ----------
+    accessCodeLifespan : int, default is 60, optional
+        AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.
+        This should normally be 1 minute.
+    accessToken : int, default is 900, optional
+        AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow.
+    accessTokenLifespan : int, default is 300, optional
+        AccessTokenLifespan specifies max time(in seconds) before an access token is expired.
+        This value is recommended to be short relative to the SSO timeout.
+    actionTokenGeneratedByAdminLifespan : int, default is 43200, optional
+        ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.
+        This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.
+        The default timeout can be overridden immediately before issuing the token.
+    actionTokenGeneratedByUserLifespan : int, default is 300, optional
+        AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.
+        This value is recommended to be short because it's expected that the user would react to self-created action quickly.
+    defaultSignatureAlgorithm : str, default is "RS256", optional
+        DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm
+    refreshTokenMaxReuse : int, default is Undefined, optional
+        RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.
+        When a different token is used, revocation is immediate.
+    revokeRefreshToken : bool, default is Undefined, optional
+        RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and
+        is revoked when a different token is used.
+        Otherwise, refresh tokens are not revoked when used and can be used multiple times.
+    """
+
+
+    accessCodeLifespan?: int = 60
+
+    accessToken?: int = 900
+
+    accessTokenLifespan?: int = 300
+
+    actionTokenGeneratedByAdminLifespan?: int = 43200
+
+    actionTokenGeneratedByUserLifespan?: int = 300
+
+    defaultSignatureAlgorithm?: "ES256" | "ES384" | "ES512" | "EdDSA" | "HS256" | "HS384" | "HS512" | "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" = "RS256"
+
+    refreshTokenMaxReuse?: int = 0
+
+    revokeRefreshToken?: bool = False
+
+
+schema V1EdpEpamComV1alpha1ClusterKeycloakRealmStatus:
+    r"""
+    ClusterKeycloakRealmStatus defines the observed state of ClusterKeycloakRealm.
+
+    Attributes
+    ----------
+    available : bool, default is Undefined, optional
+        available
+    failureCount : int, default is Undefined, optional
+        failure count
+    value : str, default is Undefined, optional
+        value
+    """
+
+
+    available?: bool
+
+    failureCount?: int
+
+    value?: str
+
+