telekom · ron96g · May 12, 2026 · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/admin/README.md b/admin/README.md
@@ -64,7 +64,7 @@ This CRD represents a physical or logical deployment target with gateway and ide
 - Each Zone creates its own dedicated namespace (stored in `status.namespace`) for managing related resources.
 - Zones define gateway configuration, identity provider settings, and Redis connection details.
 - The `visibility` field controls subscription behavior and can be either `World` or `Enterprise`.
-- Zones can optionally define Team APIs through the `teamApis` field, which creates routes on the gateway.
+- Zones can optionally define managed routes through the `managedRoutes` field. Each route has a `type`: `TeamAPI` (authenticated, no ACL) or `Proxy` (passthrough reverse proxy).
 - The Zone controller creates and manages related resources in its handlers.
 - All managed resources are labeled with both `cp.ei.telekom.de/environment` and `cp.ei.telekom.de/zone` labels.
 

diff --git a/admin/api/v1/zone_types.go b/admin/api/v1/zone_types.go
@@ -78,7 +78,23 @@ type GatewayConfig struct {
 	CircuitBreaker bool `json:"circuitBreaker"`
 }
 
-type ApiConfig struct {
+// ManagedRouteType defines the type of a managed route.
+// +kubebuilder:validation:Enum=TeamAPI;Proxy
+type ManagedRouteType string
+
+const (
+	// ManagedRouteTypeTeamAPI creates a route with authentication (PassThrough=false)
+	// and disabled access control on the zone's team-api gateway realm.
+	// Used for team APIs that require token validation but no per-consumer ACLs.
+	ManagedRouteTypeTeamAPI ManagedRouteType = "TeamAPI"
+
+	// ManagedRouteTypeProxy creates a fully passthrough route (PassThrough=true)
+	// on the zone's default gateway realm that acts as a pure reverse proxy
+	// without any authentication or authorization.
+	ManagedRouteTypeProxy ManagedRouteType = "Proxy"
+)
+
+type ManagedRouteConfig struct {
 	// Name is the name of the created route. It must be unique within the zone.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Pattern=^[a-z0-9]+(-?[a-z0-9]+)*$
@@ -91,10 +107,14 @@ type ApiConfig struct {
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Format=uri
 	Url string `json:"url"`
+	// Type selects the route behavior: Api (authenticated, no ACL) or Proxy (passthrough reverse proxy).
+	// +kubebuilder:validation:Required
+	Type ManagedRouteType `json:"type"`
 }
 
-type TeamApiConfig struct {
-	Apis []ApiConfig `json:"apis"`
+type ManagedRoutesConfig struct {
+	// +kubebuilder:validation:MinItems=1
+	Routes []ManagedRouteConfig `json:"routes"`
 }
 
 type PermissionsConfig struct {
@@ -142,7 +162,7 @@ type ZoneSpec struct {
 	IdentityProvider IdentityProviderConfig `json:"identityProvider"`
 	Gateway          GatewayConfig          `json:"gateway"`
 	Redis            RedisConfig            `json:"redis"`
-	TeamApis         *TeamApiConfig         `json:"teamApis,omitempty"`
+	ManagedRoutes    *ManagedRoutesConfig   `json:"managedRoutes,omitempty"`
 	// +kubebuilder:validation:Enum=World;Enterprise
 	// Visibility controls what subscriptions are allowed from and to this zone. It's also relevant for features like failover
 	Visibility ZoneVisibility `json:"visibility"`
@@ -194,9 +214,10 @@ type ZoneStatus struct {
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
 
-	Namespace        string           `json:"namespace,omitempty"`
-	IdentityProvider *types.ObjectRef `json:"identityProvider,omitempty"`
-	IdentityRealm    *types.ObjectRef `json:"identityRealm,omitempty"`
+	Namespace             string           `json:"namespace,omitempty"`
+	IdentityProvider      *types.ObjectRef `json:"identityProvider,omitempty"`
+	IdentityRealm         *types.ObjectRef `json:"identityRealm,omitempty"`
+	InternalIdentityRealm *types.ObjectRef `json:"internalIdentityRealm,omitempty"`
 
 	Gateway         *types.ObjectRef `json:"gateway,omitempty"`
 	GatewayRealm    *types.ObjectRef `json:"gatewayRealm,omitempty"`
@@ -205,7 +226,7 @@ type ZoneStatus struct {
 
 	TeamApiIdentityRealm *types.ObjectRef  `json:"teamApiIdentityRealm,omitempty"`
 	TeamApiGatewayRealm  *types.ObjectRef  `json:"teamApiGatewayRealm,omitempty"`
-	TeamApiRoutes        []types.ObjectRef `json:"teamApiRoutes,omitempty"`
+	ManagedRoutes        []types.ObjectRef `json:"managedRoutes,omitempty"`
 	Links                Links             `json:"links,omitempty"`
 
 	// Features is a list of features that are enabled or disabled for this zone.

diff --git a/admin/api/v1/zz_generated.deepcopy.go b/admin/api/v1/zz_generated.deepcopy.go
diff --git a/admin/config/crd/bases/admin.cp.ei.telekom.de_zones.yaml b/admin/config/crd/bases/admin.cp.ei.telekom.de_zones.yaml
@@ -189,6 +189,43 @@ spec:
                 - admin
                 - url
                 type: object
+              managedRoutes:
+                properties:
+                  routes:
+                    items:
+                      properties:
+                        name:
+                          description: Name is the name of the created route. It must
+                            be unique within the zone.
+                          pattern: ^[a-z0-9]+(-?[a-z0-9]+)*$
+                          type: string
+                        path:
+                          description: Path is the path of the route exposed on the
+                            gateway.
+                          pattern: ^/.*$
+                          type: string
+                        type:
+                          description: 'Type selects the route behavior: Api (authenticated,
+                            no ACL) or Proxy (passthrough reverse proxy).'
+                          enum:
+                          - TeamAPI
+                          - Proxy
+                          type: string
+                        url:
+                          description: Url is the upstream URL of the route.
+                          format: uri
+                          type: string
+                      required:
+                      - name
+                      - path
+                      - type
+                      - url
+                      type: object
+                    minItems: 1
+                    type: array
+                required:
+                - routes
+                type: object
               permissions:
                 description: Permissions configuration for permission service integration
                 properties:
@@ -223,34 +260,6 @@ spec:
                 - password
                 - port
                 type: object
-              teamApis:
-                properties:
-                  apis:
-                    items:
-                      properties:
-                        name:
-                          description: Name is the name of the created route. It must
-                            be unique within the zone.
-                          pattern: ^[a-z0-9]+(-?[a-z0-9]+)*$
-                          type: string
-                        path:
-                          description: Path is the path of the route exposed on the
-                            gateway.
-                          pattern: ^/.*$
-                          type: string
-                        url:
-                          description: Url is the upstream URL of the route.
-                          format: uri
-                          type: string
-                      required:
-                      - name
-                      - path
-                      - url
-                      type: object
-                    type: array
-                required:
-                - apis
-                type: object
               visibility:
                 description: Visibility controls what subscriptions are allowed from
                   and to this zone. It's also relevant for features like failover
@@ -458,6 +467,25 @@ spec:
                 - name
                 - namespace
                 type: object
+              internalIdentityRealm:
+                description: |-
+                  ObjectRef is a reference to a Kubernetes object
+                  It is similar to types.NamespacedName but has the required json tags for serialization
+                properties:
+                  name:
+                    type: string
+                  namespace:
+                    type: string
+                  uid:
+                    description: |-
+                      UID is a type that holds unique ID values, including UUIDs.  Because we
+                      don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+                      intent and helps make sure that UIDs and names do not get conflated.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
               links:
                 properties:
                   gatewayIssuer:
@@ -491,6 +519,27 @@ spec:
                 - gatewayIssuer
                 - gatewayUrl
                 type: object
+              managedRoutes:
+                items:
+                  description: |-
+                    ObjectRef is a reference to a Kubernetes object
+                    It is similar to types.NamespacedName but has the required json tags for serialization
+                  properties:
+                    name:
+                      type: string
+                    namespace:
+                      type: string
+                    uid:
+                      description: |-
+                        UID is a type that holds unique ID values, including UUIDs.  Because we
+                        don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+                        intent and helps make sure that UIDs and names do not get conflated.
+                      type: string
+                  required:
+                  - name
+                  - namespace
+                  type: object
+                type: array
               namespace:
                 type: string
               teamApiGatewayRealm:
@@ -531,27 +580,6 @@ spec:
                 - name
                 - namespace
                 type: object
-              teamApiRoutes:
-                items:
-                  description: |-
-                    ObjectRef is a reference to a Kubernetes object
-                    It is similar to types.NamespacedName but has the required json tags for serialization
-                  properties:
-                    name:
-                      type: string
-                    namespace:
-                      type: string
-                    uid:
-                      description: |-
-                        UID is a type that holds unique ID values, including UUIDs.  Because we
-                        don't ONLY use UUIDs, this is an alias to string.  Being a type captures
-                        intent and helps make sure that UIDs and names do not get conflated.
-                      type: string
-                  required:
-                  - name
-                  - namespace
-                  type: object
-                type: array
             type: object
         type: object
         x-kubernetes-validations:

diff --git a/admin/config/samples/admin_v1_zone.yaml b/admin/config/samples/admin_v1_zone.yaml
@@ -28,9 +28,10 @@ spec:
     host: bla
     port: 0
     password: password
-  teamApis:
-    apis:
+  managedRoutes:
+    routes:
       - name: my-first-team-api
         path: /my/first/team/api
         url: https://somewhere.com/other/api/path
+        type: TeamAPI