The CAO observes the auth type configured in the auth CR and configures authentication accordingly.
 

The main resources affected by the auth type and controlled by the CAO are:

• the oauth-metadata
• the webhook token authenticator
• the oauth-server and oauth-apiserver deployments (which effectively control the user and auth APIs)

These must be removed in case of external OIDC, and (re)created in case of Integrated OAuth. Note that in case of OIDC, removing these resources must be done strictly after the KAS pods have been successfully configured with OIDC. The signal for the successful configuration is still TBD; for example, it could be the KAS-o recording an Available=True status in the auth CR Status of OIDC clients.