From bacb75617371ee7270f1d37511cd2c6bc89b8820 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Fri, 12 Jun 2026 11:31:07 -0500
Subject: [PATCH] feat(fc-desktop): OnePasswordItem CRD for
 remotedesktop-oidc-client (L9 flip-readiness, gate stays OFF)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 apps/fc-desktop/fc-desktop.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/apps/fc-desktop/fc-desktop.yaml b/apps/fc-desktop/fc-desktop.yaml
index 9773152..773469e 100644
--- a/apps/fc-desktop/fc-desktop.yaml
+++ b/apps/fc-desktop/fc-desktop.yaml
@@ -14,6 +14,20 @@
 # cluster-rebuild repeatability. See
 # feedback_networkpolicies_belong_in_bluejay_infra.md.
 ---
+# OIDC client secret for the RemoteDesktop end-user sign-in (fleet regroup L9,
+# 2026-06-12). The Authentik provider `remotedesktop` already exists; the 1P item
+# `remotedesktop-oidc-client` (vault IAmWorkin) carries issuer_url / client_id /
+# client_secret, and the 1Password operator mints the same-named K8s Secret that
+# k8s/web-deployment.yaml (FlowerCore.RemoteDesktop repo) consumes with
+# optional:true. Gate stays OFF (Q-RD-16) — this is flip-READINESS only.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: remotedesktop-oidc-client
+  namespace: fc-desktop
+spec:
+  itemPath: "vaults/IAmWorkin/items/remotedesktop-oidc-client"
+---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata: