Wei Li Firstly it does make sense that the Keycloak Operator is using a secret rather than a ConfigMap, if there is sensitive data in it.

If I understand it correctly; the data which a Service produces after processing the 'consumption CR', can be either stored in a Secret or a ConfigMap, this is at the discretion of the Service. MDC will have the permissions to read either Secrets and ConfigMaps in the managed namespace. MDC will add some logic to combine the info from the relevant Secrets and/or Config Maps into a mobile-services.json and expose an endpoint which will return the complete mobile-services.json. This endpoint can be used by developers even if they don't use the MDC UI. Is that understanding correct?

Will MDC operator continually watch for those Secrets/ConfigMaps or will it only read them when the endpoint is invoked?

Does this behaviour then remove the card we have for 'accessing the Config via a 'oc' command'? With this approach then we are saying that you must have MDC running to get your config for your Mobile App? This is probably ok, when we are talking about RHMI.